b'Office of Inspector General\n\n\nDecember 31, 2012\n\nMEMORANDUM\n\nTO:              USAID/El Salvador Mission Director, Kirk Dalhgren\n\nFROM:            Regional Inspector General/San Salvador, Jon Chasson /s/\n\nSUBJECT:         Stage 2 Risk Assessment of El Salvador\xe2\x80\x99s Ministry of Environment and Natural\n                 Resources (Report No. 1-519-13-001-S)\n\nThis memorandum transmits our final report on the subject risk assessment and includes\nrisk-mitigating measures for your review\n\nThis risk assessment is not an audit but contains risk mitigation measures to assist in mitigating\nrisk for USAID/El Salvador and to strengthen the host-country systems of the Ministry of\nEnvironment and Natural Resources of El Salvador and other applicable government\ninstitutions.\n\nBecause we request no management comments on the risk mitigation measures suggested, the \n\nAudit Performance and Compliance Division will not track final action.\n\n\nI appreciate the cooperation and courtesy extended to us throughout the review. \n\n\n\n\n\nU.S. Agency for International Development\nEmbajada Americana\nUrb. y Blvd Santa Elena\nAntiguo Cuscatlan, Depto. La Libertad\nSan Salvador, El Salvador\nTel. 503-2501-2999 \xe2\x80\xa2 Fax 503-2228-5459\nhttp://oig.usaid.gov/\n\x0cCONTENTS \n\nSummary...................................................................................................................................... 1 \n\n\nRisk Assessment Results ......................................................................................................... 3 \n\n\n     Management Control............................................................................................................... 3 \n\n     Human Resources .................................................................................................................. 5 \n\n     Budgeting ................................................................................................................................ 7 \n\n     Accounting and Financial Reporting ....................................................................................... 8 \n\n     Cash........................................................................................................................................ 9 \n\n     Procurement......................................................................................................................... 11 \n\n     Assets Management ............................................................................................................. 13 \n\n     Payroll ................................................................................................................................... 15 \n\n     Information Systems ............................................................................................................. 16 \n\n     Audit ...................................................................................................................................... 19 \n\n     Compliance With Local Laws and With Donor Agreements .................................................. 21\n\n\nAppendix I - Scope and Methodology..................................................................................... 24 \n\n\nAppendix II \xe2\x80\x93 Flow of Funds Under the Two Types of Agreements \n\nBeing Considered ..................................................................................................................... 29 \n\n\nAppendix III \xe2\x80\x93 Technical Capacity Assessment .................................................................... 31 \n\n\nAppendix IV \xe2\x80\x93 Public Financial Management Risk Assessment \n\nFramework Questionnaire ....................................................................................................... 34 \n\n\n\n\n\nAbbreviations\n\nThe following abbreviations appear in this report:\n\nADS             Automated Directives System\nIPR             Implementation and Procurement Reform\nIT              Information Technology\nLACAP           Law on Acquisition and Contracts\n                (Ley de Adquisiciones y Contrataciones de la Administraci\xc3\xb3n P\xc3\xbablica)\nMARN            Ministry of Environment and Natural Resources\n                (Ministerio de Medio Ambiente y Recursos Naturales)\nPFM             Public Financial Management\nSAI             Supreme Audit Institution\n\x0cSUMMARY \n\nUnder the USAID Forward initiative, missions are encouraged to deliver foreign assistance\nthrough host-country systems to improve aid effectiveness and sustainability. As noted in\nAgency guidance, Automated Directives System 220, USAID\xe2\x80\x99s assistance is most effective\nwhen it can work through partner-country public financial management (PFM) systems, rather\nthan around them, to ensure that the aid reinforces the accountability of a government to its\npeople. This use of host nation systems is central to the USAID Forward Implementation and\nProcurement Reform (IPR) effort.\n\nCurrently, USAID/El Salvador is developing a Country Development Cooperation Strategy that\nrecognizes the importance of promoting IPR in El Salvador. El Salvador\xe2\x80\x99s Ministry of\nEnvironment and Natural Resources (MARN) showed interest in directly participating in IPR\nthrough a project to restore ecosystems. The project seeks to enhance ecosystems\xe2\x80\x99 resilience\nthrough biodiversity conservation in forests and wetlands.\n\nIn accordance with ADS Chapter 220, before initiating this program USAID/El Salvador used the\nPublic Financial Management Risk Assessment Framework to assess MARN\xe2\x80\x99s systems,\nevaluate risk, and develop necessary risk mitigation measures. The Stage 1 assessment,\ncompleted in November 2011, concluded that the fiduciary risk should not prevent the mission\nfrom incorporating public sector implementation strategies in the new Country Development\nCooperation Strategy.\n\nAt the request of USAID/El Salvador, the Regional Inspector General/San Salvador initiated a\nStage 2 risk assessment of MARN. The purpose of this risk assessment was to (1) test MARN\xe2\x80\x99s\nPFM systems1 and validate their operations, internal controls, and day-to-day practices;\n(2) identify potential vulnerabilities in the systems; and (3) recommend appropriate risk-\nmitigating measures.\n\nThe risk assessment evaluated 23 areas of operations and internal controls of MARN and\ngovernment institutions providing direct accounting and auditing services to MARN and\ndetermined a risk rating based on (1) the probability of negative incidents (such as control\nfailures) in PFM systems and (2) the potential impact on program integrity. Although some\nvulnerabilities were outside MARN\xe2\x80\x99s control, such as when processes are controlled by other\ngovernment institutions, a high risk rating was assessed because the vulnerabilities directly\naffected MARN\xe2\x80\x99s operations and programs. The risk assessment also identified institutional\nstrengthening actions that MARN and stakeholders might adopt to address the vulnerabilities.\n\nDuring the planning phase, the mission did not define the scope of the ecosystem restoration\nproject. Therefore, our assessment included tests of MARN as an institution and all areas\npotentially having an effect on the proposed project. The results of the testing are summarized\nin the following table.\n\n\n\n\n1\n The risk assessment also reviewed PFM systems used by MARN but maintained by other Salvadoran\nGovernment entities, such as the Ministry of Finance, the Ministry of Customs, and SAI.\n\n                                                                                             1\n\x0c                                           Testing Results\n                              AREA EVALUATED                                                   RISK RATING*\n  Management Control \xe2\x80\x93 Institutional Risk Management                                              Critical\n  Management Control - Management Ethics                                                           High\n  Human Resources \xe2\x80\x93 Resources Management                                                           High\n  Budgeting \xe2\x80\x93 Budget Formulation and Use of Funds                                                 Critical\n  Budgeting \xe2\x80\x93 Reporting and Recording                                                              High\n  Accounting and Reporting \xe2\x80\x93 Journal Entries                                                        Low\n  Accounting and Reporting \xe2\x80\x93 Financial Reporting                                                  Critical\n  Cash \xe2\x80\x93 Use of Funds                                                                             Critical\n  Cash \xe2\x80\x93 Recording and Reporting                                                                    Low\n  Procurement \xe2\x80\x93 Budget Formulation and Use of Funds                                                 Low\n  Procurement \xe2\x80\x93 Recording and Tracking of Disbursements                                           Critical\n  Assets Management \xe2\x80\x93 Use of Assets                                                                High\n  Assets Management \xe2\x80\x93 Recording and Reporting                                                     Critical\n  Payroll \xe2\x80\x93 Use of Funds                                                                            Low\n  Payroll \xe2\x80\x93 Recording and Reporting                                                                 Low\n  Systems \xe2\x80\x93 (MARN) Backups, Business Continuity, Physical Controls and\n                                                                                                    Critical\n  Passwords\n  Systems \xe2\x80\x93 (Ministry of Finance) \xe2\x80\x93 Reporting and Recording                                         Critical\n  Systems \xe2\x80\x93 (Ministry of Finance) \xe2\x80\x93 Backups, Business Continuity, Physical\n                                                                                                    Critical\n  Controls and Passwords\n  Audit \xe2\x80\x93 Internal Audit Function at MARN                                                            High\n  Audit \xe2\x80\x93 Financial Audit Function                                                                   High\n  Compliance With Local Procurement Law                                                             Critical\n  Compliance With Local Laws                                                                        Critical\n  Compliance With Donor Agreements                                                                   High\n * Risk ratings are determined based on (1) the probability of negative incidents and (2) the potential impact on\n program integrity. Please refer to the methodology described in Appendix I of the report for a description of the\n various risk ratings.\n\nThe scope and methodology for this risk assessment are described in Appendix I. Flow charts\nshowing the reimbursement process under the two possible types of agreements that the\nmission may sign with MARN appear in Appendix II. Appendix III contains the mission\xe2\x80\x99s\ntechnical capacity assessment.     The Public Financial Management Risk Assessment\nFramework questionnaire is in Appendix IV.\n\n\n\n\n                                                                                                                2\n\x0cRISK ASSESSMENT RESULTS \n\nArea Evaluated                                                      Risk Rating\nManagement Control \xe2\x80\x93 Institutional risk management       Probability: Probable\nPotential Impact                                                                     Critical\nProgram objectives not achieved                         Impact:        Significant\n                            Factors Evaluated/ Vulnerabilities\nFactors Evaluated:\n\xef\x82\xb7 Institutional risk assessment and risk mitigation process\n\xef\x82\xb7 Annual evaluations of progress toward goals\n\nVulnerabilities:\n\xef\x82\xb7 MARN has not established a process for assessing, monitoring, mitigating, or managing\n   organizational risks and potential impact.\n\xef\x82\xb7 MARN does not have a process for capturing lessons learned, which is an integral part\n   of every project and serves as a valuable tool for similar projects/programs.\n\xef\x82\xb7 Government institutions use line-item budgeting rather than programmatic budgeting.\n   Consequently, resource allocations do not align with targeted outputs or long-term goals.\n   Through its Fiscal Policy Technical Assistance Project, USAID is supporting the\n   implementation of the Medium-Term Expenditure Framework, programmatic budgeting,\n   and other activities to prepare the Salvadoran Government to implement a results-\n   oriented budget system.\n                         MARN Institutional Strengthening Actions\n\xef\x82\xb7 Establish an annual process to assess, mitigate, monitor, and manage its organizational\n   risks and potential impact.\n\xef\x82\xb7 Establish a process for capturing lessons learned that emerge during program\n   evaluations, and ensure that these lessons are applied to future programs.\n\xef\x82\xb7 Continue with the implementation of a performance-oriented budget approach, clearly\n   linking the funding of programs to outputs and outcomes.\n             Government of El Salvador Institutional Strengthening Actions\n\xef\x82\xb7 None\n                              USAID Risk Mitigation Measures\n\xef\x82\xb7 Help MARN implement the actions noted above to strengthen the PFM system.\n\xef\x82\xb7 Implement a fixed-amount reimbursement agreement or a cost reimbursement\n   agreement with appropriate mission monitoring to ensure compliance.\n\xef\x82\xb7 Require the use of a special account for the project, and require the Supreme Audit\n   Institution (SAI) to perform a yearly audit in accordance with guidelines.\n\n\n\n\n                                                                                                3\n\x0cArea Evaluated                                                       Risk Rating\nManagement Control - Management ethics                     Probability: Probable\nPotential Impact                                                                        High\nMisuse or misappropriation of funds                        Impact:        Marginal\n                           Factors Evaluated/ Vulnerabilities\nFactors Evaluated:\n\xef\x82\xb7 Organizational structure\n\xef\x82\xb7 Local ethical standards and regulations\n\xef\x82\xb7 Segregation of duties\n\xef\x82\xb7 Process for evaluating complaints and allegations of potential fraud, waste, or abuse\n\nVulnerabilities:\n\xef\x82\xb7 MARN\xe2\x80\x99s policies allow the Minister to bypass the competitive hiring selection process to\n   authorize the direct hiring of employees or supervisors of his choice.\n\xef\x82\xb7 We were unable to confirm that all senior ministry staff had submitted a financial\n   disclosure or declaration of interest statement as required by local transparency laws.\n\xef\x82\xb7 Local transparency and ethics laws were revised in January 2012; however, MARN has\n   not developed its own policies and procedures to guide employees on the application of\n   these laws to ensure compliance.\n\xef\x82\xb7 As required by the local transparency and ethics laws, MARN has established an\n   institutional ethics committee. However, the committee has not established a process to\n   log and track complaints of fraud and abuse and report them to the Government of\n   El Salvador Ethics Tribunal for further investigation if required.\n                         MARN Institutional Strengthening Actions\n\xef\x82\xb7 Designate in advance all ministerial positions that are deemed politically sensitive and\n   thus eligible for direct appointment by a minister; disallow direct appointment of all other\n   positions.\n\xef\x82\xb7 Obtain the missing confidential financial disclosures and declaration of interest\n   statements.\n\xef\x82\xb7 Develop policies and procedures to guide employees on the application of the local\n   transparency and ethics laws.\n\xef\x82\xb7 Direct the ethics committee to develop a process to log and track complaints and\n   allegations of fraud and abuse and document the review and reporting process.\n             Government of El Salvador Institutional Strengthening Actions\n\xef\x82\xb7 Designate all positions that are deemed politically sensitive and thus eligible for direct\n   appointment by a minister; disallow direct appointment of all other positions.\n                              USAID Risk Mitigation Measures\n\xef\x82\xb7 Help the Government of El Salvador and MARN implement the actions noted above to\n   strengthen the PFM system.\n\xef\x82\xb7 Implement a fixed-amount reimbursement agreement or a cost reimbursement\n   agreement with appropriate mission monitoring to ensure compliance.\n\xef\x82\xb7 Require the use of a special account for the project, and require SAI to perform a yearly\n   audit in accordance with guidelines.\n\n\n\n\n                                                                                                  4\n\x0cArea Evaluated                                                      Risk Rating\nHuman Resources: Resources management                    Probability: Probable\nPotential Impact                                                                      High\nMismanagement of human resources                        Impact:        Significant\n                           Factors Evaluated/ Vulnerabilities\nFactors Evaluated:\n\xef\x82\xb7 Policies and procedures to manage the human resources process\n\xef\x82\xb7 Monitoring tools to evaluate the efficiency and effectiveness of resources\n\xef\x82\xb7 Hiring practices\n\xef\x82\xb7 Training and capacity development\n\nVulnerabilities:\n\xef\x82\xb7 MARN or the Government of El Salvador does not have a policy on salaries. However,\n   MARN employees told us that the Government of El Salvador has contracted a\n   consulting firm to work on a salary policy for all public employees (completion expected\n   in December 2012).\n\xef\x82\xb7 MARN does not allocate funds in its budget for any training except that available\n   in-house, even though outside training may be critical to an employee\xe2\x80\x99s job.\n\xef\x82\xb7 MARN does not use tools to monitor employee performance or employee turnover.\n                       MARN Institutional Strengthening Actions\n\xef\x82\xb7 Provide training that is applicable and necessary for employees to carry out their duties.\n\xef\x82\xb7 Establish a process for managing and monitoring its human capital.\n             Government of El Salvador Institutional Strengthening Actions\n\xef\x82\xb7 Complete the development of the salary evaluation and establish a salary policy.\n                             USAID Risk Mitigation Measures\n\xef\x82\xb7 Help the Government of El Salvador and MARN implement the actions noted above to\n   strengthen the PFM system.\n\xef\x82\xb7 Implement a fixed-amount reimbursement agreement or a cost reimbursement\n   agreement with appropriate mission monitoring to ensure compliance.\n\xef\x82\xb7 Require the use of a special account for the project, and require SAI to perform a yearly\n   audit in accordance with guidelines.\n\n\n\n\n                                                                                               5\n\x0cArea Evaluated                                                     Risk Rating\nBudgeting: Budget formulation and use of funds           Probability: Probable\nPotential Impact                                                                   Critical\nMisappropriation or misuse of funds                      Impact:        Material\n                           Factors Evaluated/ Vulnerabilities\nFactors Evaluated:\n\xef\x82\xb7 Policies and procedures affecting budget creation and tracking\n\xef\x82\xb7 Management controls over the budgeting process\n\xef\x82\xb7 Restrictions on transfer of funds\n\xef\x82\xb7 Budget deviations\n\xef\x82\xb7 Use of special accounts\n\xef\x82\xb7 Budget transparency and access to information\n\nVulnerabilities:\n\xef\x82\xb7 At the end of the year, the Government of El Salvador has the authority to redirect the\n   unspent donor funds placed in the general budget for purposes other than those\n   stipulated by the donor unless the funds are designated in special accounts.\n\xef\x82\xb7 No level of government formally solicits public opinion on budget formation, although\n   informal discussions are held with think tanks, other nongovernmental organizations,\n   and business associations.\n                       MARN Institutional Strengthening Actions\n\xef\x82\xb7 None\n             Government of El Salvador Institutional Strengthening Actions\n\xef\x82\xb7 Create a process for soliciting public opinion on the budget.\n                            USAID Risk Mitigation Measures\n\xef\x82\xb7 Help the Government of El Salvador implement the actions noted above to strengthen\n   the PFM system.\n\xef\x82\xb7 Implement a fixed-amount reimbursement agreement or a cost reimbursement\n   agreement with appropriate mission monitoring to ensure compliance\n\xef\x82\xb7 Require the use of a special account for the project, and require SAI to perform a yearly\n   audit in accordance with guidelines.\n\n\n\n\n                                                                                              6\n\x0cArea Evaluated                                                 Risk Rating\nBudgeting: Reporting and recording                 Probability: Probable\nPotential Impact                                                                   High\nInaccurate reporting and recording                 Impact:       Marginal\n                          Factors Evaluated/ Vulnerabilities\nFactors Evaluated:\n\xef\x82\xb7 Controls over accounting, recording, and reporting of budgetary items\n\xef\x82\xb7 Controls over approvals of budgets and deviations from budgets\n\xef\x82\xb7 Recording and reporting of budgetary items\n\xef\x82\xb7 Budget tracking\n\xef\x82\xb7 Segregation of duties\n\nVulnerabilities:\n\xef\x82\xb7 The Institutional Financial Unit at MARN reallocated and reprogrammed some general\n   budget line items without the required levels of approval.\n                       MARN Institutional Strengthening Actions\n\xef\x82\xb7 Implement policies and procedures requiring appropriate approvals before the\n   reprogramming or reallocation of funds.\n             Government of El Salvador Institutional Strengthening Actions\n\xef\x82\xb7 None\n                            USAID Risk Mitigation Measures\n\xef\x82\xb7 Help MARN implement the actions noted above to strengthen the PFM system.\n\xef\x82\xb7 Implement a fixed-amount reimbursement agreement or a cost reimbursement\n   agreement with appropriate mission monitoring to ensure compliance.\n\xef\x82\xb7 Require the use of a special account for the project, and require SAI to perform a yearly\n   audit in accordance with guidelines.\n\nArea Evaluated                                                    Risk Rating\nAccounting and Reporting \xe2\x80\x93 Recording of journal\n                                                       Probability:   Occasional\nentries\nPotential Impact                                                                     Low\nInaccurate reporting and recording                    Impact:         Negligible\n                        Factors Evaluated/ Vulnerabilities\nFactors Evaluated:\n\xef\x82\xb7 System and manual controls over journal entries\n\xef\x82\xb7 Segregation of duties\n\nVulnerabilities:\n\xef\x82\xb7 None noted\n                       MARN Institutional Strengthening Actions\n\xef\x82\xb7   None\n            Government of El Salvador Institutional Strengthening Actions\n\xef\x82\xb7   None\n                            USAID Risk Mitigation Measures\n\xef\x82\xb7   None\n\n\n                                                                                              7\n\x0cArea Evaluated                                                     Risk Rating\nAccounting and Reporting: Financial reporting            Probability: Frequent\nPotential Impact                                                                   Critical\nInaccurate reporting and recording                       Impact:        Material\n                         Factors Evaluated/ Vulnerabilities\nFactors Evaluated:\n\xef\x82\xb7 Controls over the accounting and reporting process\n\xef\x82\xb7 Segregation of duties\n\nVulnerabilities:\n\xef\x82\xb7 SAI, responsible for conducting annual financial audits of government institutions, does\n   not perform systems audits of the SAFI accounting system to ensure accurate and\n   reliable reporting. In the absence of system audits, the SAI should conduct alternative\n   manual tests of data to validate its completeness, accuracy, and timeliness (whether\n   transactions were processed during the proper period). Because the accounting system\n   was developed by the Government of El Salvador, information technology (IT) audit\n   testing should be thorough and frequent but has been done only twice: by MCC for an\n   audit in 2006 and by SAI in 2007 as a follow-up to the MCC audit.\n                         MARN Institutional Strengthening Actions\n\xef\x82\xb7 None\n             Government of El Salvador Institutional Strengthening Actions\nOne of the following:\n\xef\x82\xb7 SAI: Develop the capacity to perform audits of the SAFI accounting system or at a\n   minimum perform alternative manual tests to validate the system\xe2\x80\x99s data for\n   completeness, accuracy, and timeliness as part of its annual audit.\n\xef\x82\xb7 Ministry of Finance: Direct internal audit group to perform annual testing of the\n   accounting system.\n                              USAID Risk Mitigation Measures\n\xef\x82\xb7 Help the Government of El Salvador implement the actions noted above to strengthen\n   the PFM system.\n\xef\x82\xb7 Implement a fixed-amount reimbursement agreement or a cost reimbursement\n   agreement with appropriate mission monitoring to ensure compliance.\n\xef\x82\xb7 Require the use of a special account for the project, and require SAI to perform a yearly\n   audit that includes alternative manual tests to validate the completeness, accuracy, and\n   timeliness of the reports in accordance with guidelines.\n\n\n\n\n                                                                                              8\n\x0cArea Evaluated                                                      Risk Rating\nOperations - Cash: Use of funds                          Probability: Probable\nPotential Impact                                                                      Critical\nMisappropriation or inefficient use of funds             Impact:        Significant\n                            Factors Evaluated/ Vulnerabilities\nFactors Evaluated:\n\xef\x82\xb7 Policies and procedures over the management of financial resources\n\xef\x82\xb7 Segregation of duties\n\xef\x82\xb7 Cash management\n\xef\x82\xb7 Controls over financial resources and bank accounts\n\nVulnerabilities:\n\xef\x82\xb7 The Government of El Salvador utilizes an excessive number of accounts (over 1,000),\n   and MARN manages 55 bank accounts, creating inefficiencies and increasing the\n   likelihood of errors, misappropriation, fraud, and abuse. Currently, USAID through its\n   Fiscal Policy Technical Assistance Project is supporting the implementation of a\n   Treasury Single Account.\n\xef\x82\xb7 MARN requires two signatures on all checks; however, it does not require that a high-\n   ranking official sign particularly large checks or that the two signatures be those of an\n   employee and his or her supervisor to serve as a form of control to mitigate the risk of\n   misappropriation or fraud.\n\xef\x82\xb7 Background checks of employees managing bank accounts are not periodically updated.\n\xef\x82\xb7 MARN\xe2\x80\x99s insurance coverage for potential losses caused by employee embezzlement\n   from bank accounts is limited to only $11,000 per employee although bank account\n   balances may exceed $1 million.\n                        MARN Institutional Strengthening Actions\n\xef\x82\xb7 Reduce the number of bank accounts by implementing of a Treasury Single Account.\n\xef\x82\xb7 Establish a control requiring that checks above a certain amount require a second\n   signature from a supervisor or a control requiring special approval from officials for all\n   high-dollar payments above a certain threshold.\n\xef\x82\xb7 Conduct periodic background updates on employees who manage bank accounts.\n\xef\x82\xb7 Increase the insurance coverage for losses due to employee embezzlement from bank\n   accounts to match at least the balance in the bank accounts.\n             Government of El Salvador Institutional Strengthening Actions\n\xef\x82\xb7 Reduce the number of bank accounts by implementing a Treasury Single Account.\n                              USAID Risk Mitigation Measures\n\xef\x82\xb7 Help the Government of El Salvador and MARN implement the actions noted above to\n   strengthen the PFM system.\n\xef\x82\xb7 Implement a fixed-amount reimbursement agreement or a cost reimbursement\n   agreement with appropriate mission monitoring to ensure compliance.\n\xef\x82\xb7 Require the use of a special account for the project, and require SAI to perform a yearly\n   audit in accordance with guidelines.\n\n\n\n\n                                                                                                 9\n\x0cArea Evaluated                                                    Risk Rating\nOperations - Cash: Recording and reporting               Probability: Remote\nPotential Impact                                                                  Low\nInaccurate recording                                     Impact:     Negligible\n                           Factors Evaluated/ Vulnerabilities\nFactors Evaluated:\n\xef\x82\xb7 Policies and procedures over bank accounts\n\xef\x82\xb7 Controls over bank accounts and the accounting system\n\xef\x82\xb7 Bank reconciliations\n\xef\x82\xb7 Recording of bank activity\n\nVulnerabilities:\n\xef\x82\xb7 None\n                      MARN Institutional Strengthening Actions\n\xef\x82\xb7   None\n            Government of El Salvador Institutional Strengthening Actions\n\xef\x82\xb7   None\n                           USAID Risk Mitigation Measures\n\xef\x82\xb7   None\n\n\n\n\n                                                                                        10\n\x0cArea Evaluated                                                     Risk Rating\nOperations - Procurement: Use of funds                   Probability: Occasional\nPotential Impact                                                                      Low\nMisappropriation or misuse of funds                      Impact:        Negligible\n                          Factors Evaluated/ Vulnerabilities\nFactors Evaluated:\n\xef\x82\xb7 Policies and procedures over the procurement cycle\n\xef\x82\xb7 Controls over purchases and disbursements\n\xef\x82\xb7 Segregation of duties\n\nVulnerabilities:\n\xef\x82\xb7 For some selections tested, MARN violated the segregation of duties principle by having\n   the same person involved in preparing requisitions, selecting vendors and paying\n   vendors. Risks were somewhat mitigated by having more than one individual involved\n   in the procurement process. For example, checks to pay vendors required two\n   signatures.\n                         MARN Institutional Strengthening Actions\n\xef\x82\xb7 Ensure proper segregation of duties in procurement roles such as preparing a\n   requisition, selecting vendors, and paying vendors.\n             Government of El Salvador Institutional Strengthening Actions\n\xef\x82\xb7 None\n                             USAID Risk Mitigation Measures\n\xef\x82\xb7 Help MARN implement the actions noted above to strengthen the PFM system.\n\xef\x82\xb7 Implement a fixed-amount reimbursement agreement or a cost reimbursement\n   agreement with appropriate mission monitoring to ensure compliance.\n\xef\x82\xb7 Require the use of a special account for the project, and require SAI to perform a yearly\n   audit in accordance with guidelines.\n\n\n\n\n                                                                                              11\n\x0cArea Evaluated                                                     Risk Rating\nProcurement: Recording and tracking of\n                                                        Probability:   Probable\ndisbursements\nPotential Impact                                                                     Critical\nInaccurate recording and reporting of disbursements     Impact:        Significant\n                           Factors Evaluated/ Vulnerabilities\nFactors Evaluated:\n\xef\x82\xb7 Systems and manual controls over the procurement cycle\n\xef\x82\xb7 Integration of systems\n\nVulnerabilities:\n\xef\x82\xb7 MARN records some purchase requisitions in the SIAF system (purchasing system) and\n   others in Microsoft Excel; however, all purchases are recorded in the SAFI accounting\n   system. MARN does not reconcile the data processed in the purchasing system and\n   Microsoft Excel to the data processed in the accounting system to ensure accuracy and\n   completeness.\n\xef\x82\xb7 Because not all purchase requisitions are recorded in the purchasing system, MARN is\n   unable to track or monitor its purchasing and payables processes, making it impossible\n   to review their efficiency or effectiveness. For one sample item tested, we noted that\n   MARN made one vendor payment 3.5 months late. Furthermore, the Stage 1 risk\n   assessment noted that, in general, the government\xe2\x80\x99s procurement process mandated by\n   the Law on Acquisitions and Contracts (LACAP) was lengthy and cumbersome.\n                        MARN Institutional Strengthening Actions\n\xef\x82\xb7 Use the purchasing system for all purchase requisitions.\n\xef\x82\xb7 Monitor the purchasing cycle for efficiency and effectiveness.\n             Government of El Salvador Institutional Strengthening Actions\n\xef\x82\xb7 None\n                             USAID Risk Mitigation Measures\n\xef\x82\xb7 Help MARN implement the actions noted above to strengthen its PFM system.\n\xef\x82\xb7 Implement a fixed-amount reimbursement agreement or a cost reimbursement\n   agreement with appropriate mission monitoring to ensure compliance.\n\xef\x82\xb7 Require the use of a special account for the project, and require SAI to perform a yearly\n   audit in accordance with guidelines.\n\n\n\n\n                                                                                                12\n\x0cArea Evaluated                                                    Risk Rating\nAsset Management: Use of assets                        Probability: Occasional\nPotential Impact                                                                     High\nInefficient use of assets                              Impact:        Significant\n                           Factors Evaluated/ Vulnerabilities\nFactors Evaluated:\n\xef\x82\xb7 Management and monitoring of assets\n\xef\x82\xb7 Physical controls over assets\n\nVulnerabilities:\n\xef\x82\xb7 The annual physical inventory of assets does not include all assets in the field,\n   especially those located in remote areas of the country that may be of high value, due to\n   a lack of sufficient staff.\n\xef\x82\xb7 MARN does not insure any assets other than vehicles.\n                         MARN Institutional Strengthening Actions\n\xef\x82\xb7 Conduct physical inventories of all assets annually, including those in remote locations.\n\xef\x82\xb7 Perform a cost-benefit analysis to determine what assets should be insured, and insure\n   them.\n             Government of El Salvador Institutional Strengthening Actions\n\xef\x82\xb7 None\n                               USAID Risk Mitigation Measures\n\xef\x82\xb7 Help MARN implement the actions noted above to strengthen its PFM system.\n\xef\x82\xb7 Implement a fixed-amount reimbursement agreement or a cost reimbursement\n   agreement with appropriate mission monitoring to ensure compliance.\n\xef\x82\xb7 Require the use of a special account for the project, and require SAI to perform a yearly\n   audit in accordance with guidelines.\n\xef\x82\xb7 For project assets, include insurance requirements in the agreement and monitor MARN\n   compliance.\n\n\n\n\n                                                                                               13\n\x0cArea Evaluated                                                       Risk Rating\nAsset Management: Recording and reporting                 Probability: Probable\nPotential Impact                                                                       Critical\nInaccurate reporting and recording                       Impact:         Significant\n                           Factors Evaluated/ Vulnerabilities\nFactors Evaluated:\n\xef\x82\xb7 Controls over purchases of assets\n\xef\x82\xb7 Assets recording in the registry and the general ledger\n\n Vulnerabilities:\n\xef\x82\xb7 MARN implemented an assets registry in the SIAF system in 2011, but data from the old\n   COAFI system is being manually rekeyed into the fixed-assets module rather than being\n   uploaded directly. As of July 2012, only 70 percent of the data from the old system had\n   been transferred to the new system.\n\xef\x82\xb7 MARN did not document the results of the annual physical inventory count done in 2010;\n   thus, neither inventory count sheets nor other supporting documentation was available\n   for our review.\n\xef\x82\xb7 We found no evidence of supervisory review of the reconciliation of the fixed-assets\n   register and the general ledger for 2010.\n\xef\x82\xb7 The 2010 reconciliation of the fixed-assets register and the general ledger revealed a\n   difference of approximately $354,000 without any explanation or documentation of the\n   resolution.\n\xef\x82\xb7 A reconciliation of the general ledger and the fixed-assets register for 2011 had not\n   been prepared as of the date of the review (June 29, 2012).\n                        MARN Institutional Strengthening Actions\n\xef\x82\xb7 Establish and enforce timelines to complete the transfer of data from the old to the new\n   purchasing system.\n\xef\x82\xb7 Document the results of the annual physical inventory with count sheets.\n\xef\x82\xb7 Ensure that supervisory reviews are performed and documented for the reconciliation of\n   the fixed-assets register and the general ledger.\n\xef\x82\xb7 Ensure that all differences between the fixed-assets register and general ledger are\n   resolved or explained with supporting documentation.\n\xef\x82\xb7 Establish a policy requiring that reconciliations of the general ledger and the fixed-assets\n   register be conducted in the proper accounting period(s).\n             Government of El Salvador Institutional Strengthening Actions\n\xef\x82\xb7 None\n                             USAID Risk Mitigation Measures\n\xef\x82\xb7 Help MARN implement the actions noted above to strengthen its PFM system.\n\xef\x82\xb7 Implement a fixed-amount reimbursement agreement or a cost reimbursement\n   agreement with appropriate mission monitoring to ensure compliance.\n\xef\x82\xb7 Require the use of a special account for the project, and require SAI to perform a yearly\n   audit in accordance with guidelines.\n\n\n\n\n                                                                                                  14\n\x0cArea Evaluated                                                    Risk Rating\nPayroll: Use of funds                                    Probability:   Remote\nPotential Impact                                                                   Low\nMisappropriation or misuse of funds                     Impact:       Negligible\n                           Factors Evaluated/ Vulnerabilities\nFactors Evaluated:\n\xef\x82\xb7 Payroll policies and procedures\n\xef\x82\xb7 Segregation of duties\n\xef\x82\xb7 Controls over time and attendance and payroll\n\xef\x82\xb7 Controls to prevent fraud, waste, and abuse\n\nVulnerabilities:\n\xef\x82\xb7 None noted\n                       MARN Institutional Strengthening Actions\n\xef\x82\xb7   None\n            Government of El Salvador Institutional Strengthening Actions\n\xef\x82\xb7   None\n                            USAID Risk Mitigation Measures\n\xef\x82\xb7   None\n\n\nArea Evaluated                                                    Risk Rating\nPayroll: recording and reporting                         Probability: Remote\nPotential Impact                                                                   Low\nInaccurate recording and reporting                       Impact:      Negligible\n                          Factors Evaluated/ Vulnerabilities\nFactors Evaluated:\n\xef\x82\xb7 Testing of payroll samples to test accuracy and timeliness\n\xef\x82\xb7 Segregation of duties\n\xef\x82\xb7 Accounting and recording of payroll\n\nVulnerabilities:\n\xef\x82\xb7 None noted\n                       MARN Institutional Strengthening Actions\n\xef\x82\xb7   None\n            Government of El Salvador Institutional Strengthening Actions\n\xef\x82\xb7   None\n                            USAID Risk Mitigation Measures\n\xef\x82\xb7   None\n\n\n\n\n                                                                                         15\n\x0cArea Evaluated                                                      Risk Rating\nInformation Systems \xe2\x80\x93 MARN: Backups, contingency\n                                                         Probability:   Frequent\nplans, physical controls, and passwords\nPotential Impact                                                                   Critical\nInaccurate reporting/recording and loss of data          Impact:        Material\n                           Factors Evaluated/ Vulnerabilities\nFactors Evaluated:\n\xef\x82\xb7 Policies and procedures for information systems\n\xef\x82\xb7 Physical safeguards for information systems\n\xef\x82\xb7 Contingency planning\n\xef\x82\xb7 Password controls\n\xef\x82\xb7 Backups\n\nVulnerabilities:\n\xef\x82\xb7 Systems audits provide assurance that the systems are adequately protected, that they\n   provide reliable information to users, and that they are properly managed to achieve\n   their intended benefits. However, MARN\xe2\x80\x99s internal audit group does not perform\n   systems audits.\n\xef\x82\xb7 MARN does not have a fully developed disaster recovery plan. The current plan only\n   lists the elements that the plan should have, without providing details.\n\xef\x82\xb7 Backups are stored in a computer room located at MARN rather than off-site, placing\n   them at risk if a disaster destroys MARN\xe2\x80\x99s facilities.\n\xef\x82\xb7 The public relies on MARN to provide pertinent information in case of disasters, but\n   MARN does not maintain a running mirror server at an off-site location to protect its\n   information in case of disaster at its main site.\n                         MARN Institutional Strengthening Actions\n\xef\x82\xb7 Ensure that information systems audits are conducted.\n\xef\x82\xb7 Fully develop and test a disaster recovery plan.\n\xef\x82\xb7 Maintain backups of its server offsite.\n\xef\x82\xb7 Implement the use of an off-site mirror server or cloud storage of IT systems so that the\n   Ministry can continue functioning in the wake of a disaster.\n             Government of El Salvador Institutional Strengthening Actions\n\xef\x82\xb7 None\n                               USAID Risk Mitigation Measures\n\xef\x82\xb7 Help MARN implement the actions noted above to strengthen its PFM system.\n\xef\x82\xb7 Implement a fixed-amount reimbursement agreement or a cost reimbursement\n   agreement with appropriate mission monitoring to ensure compliance.\n\xef\x82\xb7 Require the use of a special account for the project, and require SAI to perform a yearly\n   audit in accordance with guidelines.\n\n\n\n\n                                                                                              16\n\x0cArea Evaluated                                                       Risk Rating\nInformation Systems \xe2\x80\x93 Ministry of Finance: Reporting\n                                                          Probability:   Frequent\nand recording\nPotential Impact                                                                    Critical\nInaccurate reporting/recording and loss of data           Impact:        Material\n                            Factors Evaluated/ Vulnerabilities\nFactors Evaluated:\n\xef\x82\xb7 Systems integration\n\xef\x82\xb7 Segregation of duties\n\xef\x82\xb7 Application control related to the processing of data for sample selections\n\nVulnerabilities:\n\xef\x82\xb7 Most government institutions use the SAFI accounting system maintained by the Ministry\n   of Finance. Because the accounting system does not have modules for asset\n   management or purchasing, each government institution maintains its own manual or\n   automated system for assets or purchases. For instance, MARN uses the SIAF system\n   to maintain assets and purchases, but this system is not integrated with the accounting\n   system. Moreover, the two systems do not interface; rather, all data is keyed into both\n   manually, resulting in risk of error or omission.\n\xef\x82\xb7 The Ministry of Finance\xe2\x80\x99s internal audit group has not conducted any audit of the\n   information systems maintained by the ministry, including the SAFI accounting system.\n   Employees at the ministry explained that system auditors had been hired recently, but\n   no systems audits had been conducted as of August 24, 2012 (the date of our review).\n                        MARN Institutional Strengthening Actions\n\xef\x82\xb7 None\n            Government of El Salvador Institutional Strengthening Actions\n\xef\x82\xb7 In the short term, the Ministry of Finance should verify that data from supporting systems\n   is properly uploaded to the accounting system.\n\xef\x82\xb7 In the long term, the Government of El Salvador should upgrade the accounting system\n   to include the asset management and purchasing modules.\n\xef\x82\xb7 The Ministry of Finance should conduct systems audits.\n                              USAID Risk Mitigation Measures\n\xef\x82\xb7 Help the Government of El Salvador implement the actions noted above to strengthen\n   the PFM system.\n\xef\x82\xb7 Implement a fixed-amount reimbursement agreement or a cost reimbursement\n   agreement with appropriate mission monitoring to ensure compliance.\n\xef\x82\xb7 Require the use of a special account for the project, and require SAI to perform a yearly\n   audit in accordance with guidelines and include alternative manual tests to validate the\n   completeness, accuracy, and timeliness of the reports.\n\n\n\n\n                                                                                               17\n\x0cArea Evaluated                                                      Risk Rating\nInformation Systems \xe2\x80\x93 Ministry of Finance (Hacienda):\nBackups, contingency plans, physical controls, and       Probability:   Frequent\npasswords                                                                          Critical\nPotential Impact\nInaccurate reporting and recording, and loss of data     Impact:        Material\n                           Factors Evaluated/ Vulnerabilities\nFactors Evaluated:\n\xef\x82\xb7 Policies and procedures for information systems\n\xef\x82\xb7 Physical safeguards for information systems\n\xef\x82\xb7 Contingency planning\n\xef\x82\xb7 Passwords and controls over users\xe2\x80\x99 roles\n\xef\x82\xb7 Backups\n\nVulnerabilities:\n\xef\x82\xb7 The air-conditioning (AC) unit is in the same room with the server, EPS2. AC units should\n   not be placed in the same room with the server because condensate from cooling\n   increases the risk of water damage to the mainframe. Additionally, the mainframe server\n   floor for EPS2 is not raised for protection in case of flooding.\n\xef\x82\xb7 The door protecting the computer room is not fireproof.\n\xef\x82\xb7 The user role sostenibilidad (support) in the SAFI accounting system has access to the\n   system\xe2\x80\x99s security modules. This user role is defined at the institutional level, meaning\n   that users from other institutions with this role may be able to access the Ministry of\n   Finance\xe2\x80\x99s security modules. Access to these should be restricted to IT support at the\n   Ministry of Finance.\n\xef\x82\xb7 The accounting system does not require a strong password. The ministry\xe2\x80\x99s information\n   technology manual defines a strong password as one that is 15 characters long and\n   includes a combination of special characters, capital letters, lowercase letters, and\n   numbers.\n\xef\x82\xb7 The ministry uses a mirror server at its customs office to store data in case of an\n   emergency or disaster. However, because this site is only 23 kilometers away, a\n   disaster\xe2\x80\x94particularly an earthquake\xe2\x80\x94could also damage the mirror server.\n                         MARN Institutional Strengthening Actions\n\xef\x82\xb7 None\n              Government of El Salvador Institutional Strengthening Actions\n\xef\x82\xb7 Protect the main servers from water damage.\n\xef\x82\xb7 Install a fireproof door in the computer room.\n\xef\x82\xb7 Deny the user role sostenibilidad access to security modules.\n\xef\x82\xb7 Strengthen password rules to comply with the information systems manual.\n\xef\x82\xb7 Use a remote location as the site for a mirror server, or use cloud storage.\n                              USAID Risk Mitigation Measures\n\xef\x82\xb7 Help the Government of El Salvador implement the actions noted above to strengthen its\n   PFM system.\n\xef\x82\xb7 Implement a fixed-amount reimbursement agreement or a cost reimbursement\n   agreement with appropriate mission monitoring to ensure compliance.\n\xef\x82\xb7 Require the use of a special account for the project, and require SAI to perform a yearly\n   audit in accordance with guidelines.\n\n\n                                                                                              18\n\x0cArea Evaluated                                                         Risk Rating\nAudit: Internal Audit Function - MARN                         Probability: Probable\nPotential Impact                                                                         High\nInaccurate reporting                                          Impact:        Marginal\n                          Factors Evaluated/ Vulnerabilities\nFactors Evaluated:\n\xef\x82\xb7 Audit coverage\n\xef\x82\xb7 Independence\n\xef\x82\xb7 Audit effectiveness and capacity\n\nVulnerabilities:\n\xef\x82\xb7 The internal audit department is not independent; the Minister of Environment has\n   operational control of the internal audit department and the auditors do not report directly\n   to an audit committee or officials independent of the ministry.\n\xef\x82\xb7 MARN\xe2\x80\x99s internal audit procedures manual does not establish a deadline for closing\n   recommendations. For example, recommendations from an audit in 2010 remain open.\n                        MARN Institutional Strengthening Actions\n\xef\x82\xb7 Establish and meet deadlines to implement audit recommendations.\n             Government of El Salvador Institutional Strengthening Actions\n\xef\x82\xb7 Develop a reporting structure requiring all ministries\xe2\x80\x99 internal audit departments to have\n   a higher degree of independence by reporting directly to SAI rather than to their\n   respective minister.\n                             USAID Risk Mitigation Measures\n\xef\x82\xb7 Help the government and MARN implement the institutional actions noted above to\n   strengthen the PFM system.\n\xef\x82\xb7 Implement a fixed-amount reimbursement agreement or a cost reimbursement\n   agreement with appropriate mission monitoring to ensure compliance.\n\xef\x82\xb7 Require the use of a special account for the project, and require SAI to perform a yearly\n   audit in accordance with guidelines.\n\n\n\n\n                                                                                                  19\n\x0cArea Evaluated                                                       Risk Rating\nAudit: Financial Audit Function \xe2\x80\x93 Government of\n                                                           Probability:   Probable\nEl Salvador (SAI)\nPotential Impact                                                                      High\nInaccurate reporting                                       Impact:        Marginal\n                            Factors Evaluated/ Vulnerabilities\nFactors Evaluated:\n\xef\x82\xb7 Policies and procedures\n\xef\x82\xb7 Audit process\n\nVulnerabilities:\n\xef\x82\xb7 The results of audits conducted by SAI are not available to the public, only to public\n   officials.\n\xef\x82\xb7 SAI does not establish deadlines for completing government audits. The audit report for\n   MARN for the period ended December 31, 2009, was published in February 2012\n   (26 months later), and the report for the period ended December 31, 2010, was\n   published on May 2012 (17 months later).\n\xef\x82\xb7 The Legislative Assembly appoints SAI officials, raising doubts about SAI\xe2\x80\x99s\n   independence and potentially affecting the results of audits at a time when one party\n   exercises significant control over the political system.\n                        MARN Institutional Strengthening Actions\n\xef\x82\xb7 None\n              Government of El Salvador Institutional Strengthening Actions\n\xef\x82\xb7 Require that the results of audits be posted on SAI\xe2\x80\x99s Web site, making them accessible\n   to Salvadoran citizens.\n\xef\x82\xb7 Establish deadlines for conducting and reporting the results of government audits.\n                             USAID Risk Mitigation Measures\n\xef\x82\xb7 Help the government implement the actions noted above to strengthen its PFM system.\n\xef\x82\xb7 Implement a fixed-amount reimbursement agreement or a cost reimbursement\n   agreement with appropriate mission monitoring to ensure compliance.\n\xef\x82\xb7 Require the use of a special account for the project, and require SAI to perform a yearly\n   audit in accordance with guidelines.\n\xef\x82\xb7 Monitor the political environment in El Salvador; if the SAI\xe2\x80\x99s independence is\n   questionable, choose a private audit firm.\n\n\n\n\n                                                                                              20\n\x0cArea Evaluated                                                       Risk Rating\nCompliance with local procurement law (LACAP)              Probability: Frequent\nPotential Impact                                                                      Critical\nMisappropriation or misuse of funds                        Impact:        Material\n                            Factors Evaluated/ Vulnerabilities\n    Factors Evaluated:\n\xef\x82\xb7   Policies and procedures\n\xef\x82\xb7   Bidding and vendor selection\n\xef\x82\xb7   Contractual compliance\n\n    Vulnerabilities:\n\xef\x82\xb7   LACAP requires competitive bidding for purchases exceeding $53,000 but allows\n    government institutions to bypass the competitive bidding requirement without giving\n    them clear criteria for justifying doing so. Bypassing the competitive bidding requirement\n    increases the risk of misappropriation and manipulation of the bidding process. Our\n    testing revealed that MARN purchased special equipment for $1.3 million through direct\n    procurement rather than competitive bidding. The justification for this direct procurement\n    was inadequate because it lacked support (e.g., technical evaluation, specifications for\n    equipment capacity and quality, etc.).\n\xef\x82\xb7   The bidding period is at times too short to allow for adequate vendor participation. For\n    instance, the time LACAP allows for vendor selection for purchases above $53,000 is\n    from 3 to 5 days. Bidding for one sample item reviewed was only open for 1 day.\n\xef\x82\xb7   On two purchase requisitions in our sample, language was vague, not giving specific\n    criteria for the purchases.\n                          MARN Institutional Strengthening Actions\n\xef\x82\xb7   Use a competitive process rather than direct procurement to select most vendors for the\n    program, and establish an appropriate approval process for noncompetitive procurement\n    transactions that is properly documented.\n\xef\x82\xb7   Establish clear criteria for justifying noncompetitive procurement transactions.\n               Government of El Salvador Institutional Strengthening Actions\n\xef\x82\xb7   None\n                                USAID Risk Mitigation Measures\n\xef\x82\xb7   Help the government and MARN implement the actions noted above to strengthen the\n    PFM system.\n\xef\x82\xb7   Implement a fixed-amount reimbursement agreement or a cost reimbursement\n    agreement with appropriate mission monitoring to ensure compliance.\n\xef\x82\xb7   Require the use of a special account for the project, and require SAI to perform a yearly\n    audit in accordance with guidelines.\n\xef\x82\xb7   Require all vendor selections for procurements above a threshold of $2,500 to be made\n    through a competitive process rather than through direct procurement as mandated by\n    LACAP.\n\n\n\n\n                                                                                                 21\n\x0cArea Evaluated                                                     Risk Rating\nCompliance with local laws                              Probability: Probable\nPotential Impact                                                                     Critical\nViolation of local laws                                 Impact:        Significant\n                           Factors Evaluated/ Vulnerabilities\nFactors Evaluated:\n\xef\x82\xb7 Policies and procedures\n\xef\x82\xb7 Controls to prevent fraud, waste, and abuse (e.g., transparency law) and enforce laws\n\nVulnerabilities:\n\xef\x82\xb7 The ethics law has the following weaknesses:\n    o Complaints cannot be filed anonymously.\n    o The law does not mention protection for whistleblowers.\n    o The law does not provide for administrative leave while an official is under\n        investigation for potential wrongdoing related to his or her duties.\n    o The penalty for wrongdoing is limited to 40 times the minimum wage (about $230 a\n        month), which may not be enough to deter fraudulent acts and may not compare to\n        the amount of the illicit gain or harm.\n\xef\x82\xb7 The ethics law requires the establishment of ethics boards at each government\n    institution. MARN has established an ethics board; however, meetings of the board\n    have not been documented. Additionally, one of the board members who represents the\n    employees lives in a remote location and cannot easily participate in meetings.\n\xef\x82\xb7 The outcomes of investigations or reviews have not been posted on the public Web site.\n                          MARN Institutional Strengthening Actions\n\xef\x82\xb7 Document meetings of the ethics board.\n\xef\x82\xb7 Establish eligibility requirements for elected board members so that they are easily\n    accessible and can attend meetings.\n\xef\x82\xb7 Verify that the results of investigations or reviews are made public.\n              Government of El Salvador Institutional Strengthening Actions\nStrengthen its ethics law by:\n\xef\x82\xb7 Allowing complaints to be filed anonymously\n\xef\x82\xb7 Providing protection for whistleblowers\n\xef\x82\xb7 Pegging monetary sanctions to the value of illicit gains or damages to discourage illicit\n    acts\n                               USAID Risk Mitigation Measures\n\xef\x82\xb7 Help the government and MARN implement the actions noted above to strengthen the\n    PFM system.\n\xef\x82\xb7 Implement a fixed-amount reimbursement agreement or a cost reimbursement\n    agreement with appropriate mission monitoring to ensure compliance.\n\xef\x82\xb7 Require the use of a special account for the project, and require SAI to perform a yearly\n    audit in accordance with guidelines.\n\n\n\n\n                                                                                                22\n\x0cArea Evaluated                                                    Risk Rating\nCompliance with donor agreements                       Probability: Probable\nPotential Impact                                                                    High\nViolation of donor agreements                          Impact:         Negligible\n                          Factors Evaluated/ Vulnerabilities\nFactors Evaluated:\n\xef\x82\xb7 Controls to manage donor agreements\n\xef\x82\xb7 Policies and procedures\n\xef\x82\xb7 Training on U.S. laws and regulations applicable to the agreements\n\xef\x82\xb7 Controls to enforce laws applicable to the agreements\n\nVulnerabilities:\n\xef\x82\xb7 MARN does not have a process for reviewing the issues raised by external and internal\n   audit reports and applying them as lessons learned.\n\xef\x82\xb7 MARN hires outside consultants rather than using its own personnel to implement\n   projects funded by international donors that utilize special accounts. When those\n   projects end, most consultants are not retained at MARN, which loses their knowledge.\n\xef\x82\xb7 Interviews with MARN personnel revealed a lack of knowledge/familiarity with standard\n   provisions applicable to USAID agreements.\n                        MARN Institutional Strengthening Actions\n\xef\x82\xb7 Review the results of audits conducted by external auditors, and apply lessons learned.\n\xef\x82\xb7 Add project staff to its budget to avoid the loss of knowledge when donor funding ends.\n\xef\x82\xb7 Provide training to familiarize all personnel with U.S. laws applicable to the agreement\n   with USAID.\n             Government of El Salvador Institutional Strengthening Actions\n\xef\x82\xb7 None\n                             USAID Risk Mitigation Measures\n\xef\x82\xb7 Help MARN implement the actions noted above to strengthen its PFM system.\n\xef\x82\xb7 Implement a fixed-amount reimbursement agreement or a cost reimbursement\n   agreement with appropriate mission monitoring to ensure compliance.\n\xef\x82\xb7 Require the use of a special account for the project, and require SAI to perform a yearly\n   audit in accordance with guidelines.\n\xef\x82\xb7 Train MARN staff with standard USAID provisions applicable to the agreement.\n\n\n\n\n                                                                                              23\n\x0c                                                                                  Appendix I\n\n\n\nSCOPE AND METHODOLOGY\nScope\nRIG/San Salvador conducted this risk assessment in accordance with generally accepted\ngovernment auditing standards. This risk assessment complies with the general standards in\nChapter 3 as well as with the evidence and documentation standards in Chapter 6 (paragraphs\n6.79 through 6.85) of Government Auditing Standards. Those standards require that we plan\nand perform the assessment to obtain sufficient, appropriate evidence to provide a reasonable\nbasis for our findings and conclusions. We believe that the evidence obtained provides that\nreasonable basis.\n\nThe purpose of this assessment was to (1) perform an in-depth assessment of vulnerabilities\nnoted during the Stage 1 assessment, (2) assess the control environment and identify additional\nvulnerabilities and risks associated with operating directly through the MARN environment, and\n(3) based on the risks and vulnerabilities identified, recommend institutional strengthening\nactions to strengthen the MARN control environment and reduce the risk of wasting or misusing\nU.S. Government resources.\n\nIn planning and performing the review, we assessed MARN\xe2\x80\x99s and the Government of\nEl Salvador\xe2\x80\x99s management controls related to their internal processes. The management\ncontrols tested included controls over risk management, cash management, accounting and\nfinancial reporting, budgeting, payroll and human resources, assets management, audit,\ninformation systems, procurement, compliance with local and U.S. laws, and compliance with\ndonor agreements.\n\nThe review covered expenditures associated with the Government of El Salvador\xe2\x80\x99s general\nfunds and programs managed by MARN from January 1, 2010, to April 30, 2012. RIG/San\nSalvador conducted the risk assessment in San Salvador, El Salvador, from May 22 to\nAugust 24, 2012.\n\nStage 2 Team\n\nThe Stage 2 assessment was conducted under the overall responsibility of the IPR Committee\ncoordinated by the mission controller. There were three teams involved in the assessment:\n\nThe Risk Assessment Team, which was responsible for conducting the fieldwork for the risk\nassessment:\n\n\xef\x82\xb7   Ivan Magana \xe2\x80\x93 Regional Inspector General Office in San Salvador - Team Leader\n\xef\x82\xb7   Karla Hasbun \xe2\x80\x93 Regional Inspector General Office in San Salvador\n\xef\x82\xb7   Juan Carlos Rivas \xe2\x80\x93 USAID/El Salvador, Economist, Strategic Development Office Carlos\n    Milla \xe2\x80\x93 USAID/El Salvador Financial Analyst\n\xef\x82\xb7   Blanca Ibarra \xe2\x80\x93 USAID/El Salvador Senior Acquisition and Assistance Specialist\n\xef\x82\xb7   Omar Robles \xe2\x80\x93 USAID/El Salvador Financial Management Officer\n\nThe Technical Capacity Assessment Team, which was responsible for conducting the technical\nevaluation of MARN\xe2\x80\x99s capacity:\n\n                                                                                            24\n\x0c                                                                                       Appendix I\n\n\n\n\xef\x82\xb7   Carlos Hasbun \xe2\x80\x93 USAID/El Salvador Environmental Team Leader\n\xef\x82\xb7   Parviz Shahidinejad \xe2\x80\x93 USAID/El Salvador Senior Financial Analyst\n\xef\x82\xb7   Mary Latino Rodriguez \xe2\x80\x93 USAID/El Salvador Environmental Team\n\xef\x82\xb7   Luis Ramos \xe2\x80\x93 USAID/El Salvador Environmental Team\n\nFrom the IPR Committee, the following members were responsible for evaluating the results of\nthe assessment:\n\n\xef\x82\xb7   Allen Vargas \xe2\x80\x93 USAID/El Salvador Mission Controller\n\xef\x82\xb7   Parviz Shahidinejad \xe2\x80\x93 USAID/El Salvador Senior Financial Analyst\n\xef\x82\xb7   Michelle Jennings \xe2\x80\x93 USAID/El Salvador Economic Growth Officer\n\xef\x82\xb7   Karen Hunter \xe2\x80\x93 USAID/El Salvador Regional Legal Advisor\n\nMethodology\nThe risk assessment was conducted in compliance with ADS 220 and followed the guidance of\nthe Public Financial Management Risk Assessment Framework for Stage 2 prepared by USAID.\nIn conducting the risk assessment, we interviewed government officials at MARN, the Ministry of\nFinance, Customs, and SAI to obtain an understanding of the internal processes related to the\nmanagement controls identified.\n\nFor each management control identified, we judgmentally made sample selections and tested the\ncontrols related to the area to determine whether the controls were operating effectively. (This\nassessment is not an audit; therefore, testing is appropriate for a limited sample of transactions.)\n\nAdditionally, we reviewed the Stage 1 Rapid Appraisal Risk Assessment report prepared by\nUSAID/San Salvador to obtain an understanding of issues raised related to Government of El\nSalvador.\n\nAnalysis of Impact and Probability\n\nOur approach for determining the risk rating of the areas of vulnerability during this Stage 2 risk\nassessment included an evaluation of the impact and probability of an adverse event occurring\nand affecting MARN\xe2\x80\x99s operations, including the project. Impact and probability were measured\non a 1-4 scale.\n\nImpact \xe2\x80\x93 The severity of an adverse event associated with a risk or combination of risks is\ndescribed below. Impact was evaluated on a 1\xe2\x80\x934 scale.\n\n    Negligible: 1 - PFM broadly reflects good international practice. The development objective\n    outcome can reasonably be assumed to be attained if conditions do not change. This rating\n    indicates that strong political and management commitment to sound PFM practice is\n    evident. Internal controls overall function as intended with deviations potentially having a\n    financial impact that is less than significant to a program. Accountability institutions are\n    mature, function routinely, and are not under threat.\n\n    Marginal: 2 - PFM broadly reflects good international practice with some gaps or\n    inefficiencies present. Political or management commitment to closing the gaps and\n    eliminating inefficiencies is present. The development objective is reasonably likely to be\n\n                                                                                                 25\n\x0c                                                                                    Appendix I\n\n\n   attained. Expected effects could include minor delays in attainment, minor dissatisfaction by\n   stakeholders, or a nonmaterial financial impact. Noncompliance with the internal control\n   framework is the exception rather than the rule, potentially having a financial impact that is\n   less than material on a program. Weaknesses in accountability may be present, or\n   accountability may be in an early and untested stage of development.\n\n   Significant: 3 - Significant elements of the PFM system do not reflect good international\n   practice. Political or management commitment to attaining a state of compliance with good\n   international practice is inconsistent or questionable. Attainment of some of the expected\n   outcomes associated with the development objective can reasonably be expected.\n   Expected effects could include a major delay, limited dissatisfaction by stakeholders, and a\n   material financial impact. Noncompliance with the internal control framework is likely to\n   occur and may result in significant impact to the program. Weakness in accountability is\n   evident. Opposition to accountability is evident among some elements in the government.\n\n   Material: 4 - There are obvious and material divergences from good international PFM\n   practice. Political and management commitment to attainment of a state of compliance with\n   good international practice is the exception or entirely absent. Realization of an adverse\n   event associated with this risk factor would lead to less-than-desirable outcomes. Expected\n   effects include failure of the project, widespread and severe dissatisfaction by stakeholders,\n   major financial losses, and extensive loss of reputation. Noncompliance with the internal\n   control framework is expected to occur widely. Accountability institutions have major gaps.\n   Opposition to accountability is organized or widespread and therefore expected.\n\nProbability \xe2\x80\x93 The likelihood of occurrence of an adverse event associated with a risk or a\ncombination of risks. Probability was measured on a 1-4 scale.\n\n   Remote: 1 - This number reflects the conclusion that there is less than a 25 percent\n   probability. An adverse event associated with the risk is rare or would only occur in\n   exceptional circumstances. There is little or no experience of a similar failure.\n\n   Occasional: 2 - This number reflects a conclusion that the probability lies between 26 and\n   50 percent. An adverse event associated with the risk might occur because the conditions\n   for it exist, but controls exist and are effective.\n\n   Probable: 3 - This number reflects a conclusion that the probability lies between 51 and 75\n   percent. An adverse event associated with the risk likely will occur because the controls are\n   inadequate or are applied inconsistently.\n\n   Frequent: 4 - This number reflects a conclusion that the probability lies between 76 and 99\n   percent. An adverse event associated with the risk is expected to occur. There is near\n   certainty of occurrence because the controls do not exist or are ineffective.\n\n\n\n\n                                                                                              26\n\x0c                                                                                     Appendix I\n\n\n                                         Figure I-1\n                         Public Financial Management Risk Matrix\n\n\n\n                  Material          High         Critical      Critical      Critical\n\n\n\n\n                  Significant       High          High         Critical      Critical\n\n         Impact\n\n\n                  Marginal        Medium        Medium          High          High\n\n\n\n\n                  Negligible        Low           Low          Medium       Medium\n\n\n                                Remote        Occasional  Probable         Frequent\n                                                    Probability\n\nRisk Treatment\n\nAssignment of risk to a classification of Critical, High, Medium, or Low drives the appropriate\nlevel of treatment to mitigate the risk. Figure I-2 defines each of these scores and relates the\nappropriate levels of risk mitigation suggested for each.\n\n\n\n\n                                                                                              27\n\x0c                                                                                        Appendix I\n\n\n                                       Figure I-2\n                           Suggested Risk Mitigation Treatment\n Score          Mitigation                                       Detail\n               Requirement\nCritical   Terminate exposure      Critical requires stringent mitigating measures only if these\n           or enforce mitigating   have a high probability of success. Otherwise, we would\n           measures.               recommend terminating the exposure by delivering the\n                                   assistance through other means. In rare cases where an\n                                   effective transfer of risk mechanism exists and is deemed\n                                   effective, we will consider transfer of the risk, albeit with a risk\n                                   assessment of the ability of the transferor to deliver on its\n                                   obligation. (A central bank guarantee of a deposit in a local\n                                   bank is an example of a transfer mechanism.) Mitigating\n                                   measures are likely to include concurrent audit,\n                                   reimbursement-only mechanisms, tranching, affirmative\n                                   transaction     approval,     cosignature     requirements       on\n                                   disbursements, and other active and continuous control\n                                   features.\nHigh       Consider terminating    High requires serious mitigating measures to treat the risk.\n           exposure or             Treatment may include a wide variety of risk mitigation\n           enforcing mitigating    measures that should be enforced continuously.\n           measures\nMedium     Consider enforcing      Medium requires mitigating measures, but these may be\n           mitigating measures     periodic, such as semiannual audits or no objection\n           or monitoring           processes for procurement approval. Third-party oversight,\n                                   such as an arrangement with the national procurement\n                                   oversight body, could be considered.\nLow        Monitoring              Low requires monitoring and audit, but treatment of specific\n                                   risks will not be an ex ante requirement. Routine controls\n                                   and oversight are appropriate. In some cases, terms and\n                                   conditions in the agreement may be sufficient, provided that\n                                   performance of the terms and conditions is monitored.\n\n\n\n\n                                                                                                   28\n\x0c                                                                            Appendix II\n\n\n\nFLOW OF FUNDS UNDER THE TWO TYPES OF AGREEMENTS\nBEING CONSIDERED\nThe mission has determined that it will probably sign a fixed-amount reimbursement\nagreement or a cost reimbursement agreement with MARN. Below and on the next page,\nwe provide the funds flows for these instruments.\n\n\n\n\n    Flow of Funds Under a Fixed-Amount \n\n        Reimbursement Agreement \n\n\n\n\n\n                                                                                 USAID\xc2\xa0\n                                                                                Transfers\xc2\xa0\n              MARN\xc2\xa0                            USAID\xc2\xa0                           Funds\xc2\xa0to\xc2\xa0\n                                 Evidence\xc2\xa0\n            Completes\xc2\xa0                        Verifies\xc2\xa0          Funds\xc2\xa0          MARN\xc2\xa0\n   Output                        of\xc2\xa0Output\xc2\xa0\n             Output\xc2\xa0                          Output\xc2\xa0           Transfer\xc2\xa0       Separate\xc2\xa0\n                                  Delivery\n             Delivery                         Delivery                           Project\xc2\xa0\n                                                                               Account\xc2\xa0via\xc2\xa0\n                                                                                   EFT\n\n\n\n\n                                                                                    29\n\n\x0c                                                             Appendix II\n\n\n\n       Flow of Funds Under a \n\n  Cost Reimbursement Agreement \n\n\n\n\nUSAID\xc2\xa0Advances\xc2\xa0Funds\xc2\xa0to\xc2\xa0MARN\xc2\xa0\nSeparate\xc2\xa0Project\xc2\xa0Account\xc2\xa0via\xc2\xa0EFT\xc2\xa0\n\n\n                                    MARN\xc2\xa0Processes\xc2\xa0Payments\xc2\xa0to\xc2\xa0\n                                    Vendors\xc2\xa0from\xc2\xa0Project\xc2\xa0Account\xc2\xa0via\xc2\xa0\n                                    Check\n\n\n\n\n                                  MARN\xc2\xa0Submits\xc2\xa0Voucher\xc2\xa0to\n\xc2\xa0\n                               Liquidate\xc2\xa0Outstanding\xc2\xa0Advance\n\n\n\n\n\n                                                                     30\n\x0c                                                                                   Appendix III\n\n\n\nTECHNICAL CAPACITY ASSESSMENT\n\nA Quick Technical Assessment of the Ministry of Environment and\nNatural Resources to implement the Restoration of Ecosystems\nand Landscapes of El Salvador Project\n\nA. The setting:\n\nOn May 7, 2012, MARN officially launched the National Program of Restoration of\nEcosystems and Landscapes (PREP). The PREP is consistent with the Government of El\nSalvador\xe2\x80\x99s National Environmental Policy (NEP), which objective is to reverse environmental\ndegradation and reduce vulnerability to climate change. One of the priorities of the NEP is\nthe inclusive restoration and conservation of ecosystems.\n\nAccording to the NEP, environmental degradation in El Salvador has reached such a critical\npoint that meaningful action is necessary to reduce risks, support productive activities and\nensure the welfare of the population. A socially inclusive approach involving the participation\nof communities is considered essential to preserve and enhance the provision of ecosystem\nservices by the diversity of ecosystems and species.\n\nThe current Biodiversity Strategy of El Salvador was developed in 2000. MARN has recently\nstarted the updating of the Strategy with funds from GEF/UNDP. One of the goals of the\nupdating process is to align it with NEP and PREP.\n\nB. PREP has three main components:\n\n1. Development of climate-resilient agriculture: Recognizing that agricultural activities\nrepresent the main land use in the country, this component seeks to begin the transition from\nan agricultural sector based heavily on slash and burn practices, and intensive agrochemical\nuse to sustainable agricultural and livestock practices that are more resilient to the threat of\nclimate change. PREP pursues the development of a massive expansion of agro-forestry\nand sustainable agriculture practices to prevent soil erosion, increase vegetation cover,\nmitigating climate change by soil and vegetation carbon sequestration while adapting to it,\nimprove water flow hydrology, reduce agrochemical use, and improve conditions for\nbiodiversity conservation.\n\n2. Synergistic development of physical and natural infrastructure: Physical\ninfrastructure in El Salvador, particularly road infrastructure, is very vulnerable to climate\nvariability and has been heavily impacted by the increased frequency and intensity of climate\nchange-related extreme weather events in the last decade. The typical response has been\nmore complex man-made infrastructure. Although new design specifications can reduce this\nvulnerability, it implies significant costs increases. MARN and the Ministry of Public Works\n(MOP) propose through PREP that combining investments in both physical and natural\ninfrastructure will be more cost efficient. For example, protecting watersheds with the\nexpansion tree cover through agroforestry and creating or preserving riparian buffer forests\nalong river banks would regulate hydrological flows, reducing flooding impacts on bridges,\nports and communities. This would also restore and expand biological corridors, creating a\nmore favorable environment for biodiversity conservation.\n\n3. Restoration and conservation of critical ecosystems: The restoration and conservation\nof mangroves, beaches, wetlands and forests is essential to ensure adequate provision of\nenvironmental services necessary to support all productive activities, secure the livelihoods\n\n                                                                                             31\n\x0c                                                                                 Appendix III\n\n\nof local communities, conserve biodiversity and enhance adaptation to climate changes. Of\nparticular concern are coastal marine ecosystems, particularly mangroves, and the recovery\nof their role to protect against storm surges and tsunamis and to reduce coastal erosion, as\nwell as the enhancement of their functionality as breeding areas for a wide range of marine\nand other species upon which communities depend for food and income.\nThe PREP recognizes that given the levels of environmental degradation in El Salvador, it is\nnot adequate to simply transform or manage isolated points or small areas of the country, but\na massive transformation is required; eventually, results will be obtained throughout the\ncountry.\n\nC. Analysis of Strengths and Weaknesses:\n\nA quick assessment of MARN\xe2\x80\x99s current strengths and weaknesses in light of its new\nmandate to implement the PREP is present below. It should be noted that the proposed\nUSAID project which is in preliminary design process falls within the purview of the PREP.\n\nMARN has extensive experience implementing a large variety of environmental and\nbiodiversity projects. Its personnel include a significant number of specialized professionals\nin areas of interest to PREP. MARN\xe2\x80\x99s solid institutional relationship with MAG and MOP,\nwhich are key stakeholders for PREP, is a source of strength which will be tapped during the\nimplementation of the PREP. By policy, as a measure of long-term sustainability, MARN\nfocuses on grass root practices through an inclusive management approach supported by\ncommunity action and effective coordination of local governments and national public\ninstitutions, as expressed in the NEP. The PREP is a high priority for the Minister and the\ncurrent Government of El Salvador administration and additional budgetary resources are\nbeing secured for its implementation.\n\nNotwithstanding the strengths briefly discussed above, the 2012 NEP and PREP introduce\nsignificant changes in the approach to the management of biodiversity in El Salvador. There\nare two major issues that need to be addressed for successful implementation of PREP.\n\n1. Identification of PREP within MARN\xe2\x80\x99s organizational structure\n\nPREP will require efficient use of human and other institutional resources for a massive\nmobilization of farmers, grass root organizations and other key actors in the territories of\nintervention. Even though MARN has valuable institutional and specialized human resources\nthat are relevant to project implementation, it is not clear whether these resources are\nefficiently organized under the same direction to optimize their performance.\n\nCurrently, MARN is going through a reengineering of its organizational structure directed at\nprogram management. Programs will be led by designated directorates with the participation\nof other related offices. PREP represents the climate change-related strategic action and,\naccording to MARN\xe2\x80\x99s current plans, will be led by the General Directorate of Climate Change\nand Strategic Issues.\n\nAs a result of the reengineering, and because of PREP\xe2\x80\x99s biodiversity orientation, MARN is\nplanning to establish the General Directorate of Biodiversity and Natural Heritage which will\nsupport the Climate Change Directorate in PREP implementation.\n\n2. Strengthening of the National Environmental Management System (SINAMA)\n\n\n\n\n                                                                                           32\n\x0c                                                                                        Appendix III\n\n\n\nThe project will include working with small sub-projects implemented by NGOs and\nCommunal Development Associations (ADESCOs). Therefore, MARN will require additional\ncapacity to monitor and evaluate the sub-projects. This task can be performed by the\nMunicipal Environmental Units considered by law under SINAMA. MARN acknowledges that\nSINAMA is not fully functional due to limited capacity of various municipalities, which would\nrequire institutional capacity development.\n\nAccordingly, MARN is taking steps toward strengthening SINAMA. For example, MARN has\nprogrammed funds in its 2013 budget, subject to legislative approval, to support the\nmunicipalities\xe2\x80\x99 environmental units. In line with this initiative, the municipalities of initial PREP\ninterventions are prioritized by MARN. Additionally, the Inter-American Development Bank\nhas made strengthening of SINAMA a requirement for a $200 million loan currently under\nnegotiation with the Government of El Salvador.\n\nD. Conclusion:\n\nBased on the quick assessment and the additional capacity development considerations\noutlined above, the Economic Growth Office concludes that MARN is capable of\nimplementing the PREP. It is intended that USAID\xe2\x80\x99s contribution will further fortify MARN\nand the municipalities to ensure program success and sustainability. The consultant to be\ncontracted by USAID for the design of the project will further explore technical capacity\ndevelopment needs of the MARN in light of the up-coming program implementation\nchallenges and will propose the required measures to be incorporated into project design\nand implementation.\n\n\n\n\n                                                                                                  33\n\x0c                                                                                     Appendix IV\n\n\nPFMRAF QUESTIONNAIRE\n\n\n\n  Questionnaire for the Public Financial Management Risk Assessment\n                           (PFMRAF Stage II)\n\n\n                         FIRST CRITERION: \n\n\n                MANAGEMENT CONTROL ENVIRONMENT\n\t\n\n\n\n\n                                   Date of the assessment:   Completed on 07/09/12\n                                   Author of the assessment: Ivan Magana\n\n\n\n\n                                                                                             34\n\x0cFIRST CRITERION:                        MANAGEMENT CONTORL ENVIRONMENT\nQuestions to evaluate the               Observations of the author, based on the analysis of available documents and enquiry                  Reference to      Assessment of the Author\ncompliance with the criterion           of the entity subject to assessment (i.e., based on inquiry, interview, observation or                documents (copy\n                                        testing)                                                                                              attached)\n\n\n\n1.   Management\xe2\x80\x99s philosophy and        As a customary practice, governmental institutions in El Salvador are impacted by the                 None              No issues noted.\n     operating  style,   including      philosophy of its government officials (ministers) and the ruling party in charge.\n     management oversight\n                                        Currently, the FMLN (left wing party) is in charge and the minister in charge of the ministry of\n1.1 Develop an understanding of         environment (MARN) is Herman Rosa Ch\xc3\xa1vez (HRC). Although many members of the current\n    government officials\xe2\x80\x99 management    leadership in the government have bad feelings towards the government of the US because of\n    style and philosophy and its        the old civil war that took place in the 80s, the HRC has welcomed the help that USAID offers\n    potential impact to the project     to MARN and has taken the lead in asking USAID to perform a risk assessment level II to\n                                        determine any vulnerabilities and open the ministry to any aid.\n                                        As discussed in the following sections, we noted various vulnerabilities related to\n                                        management\xe2\x80\x99s control environment\n\n1.2 Develop an understanding of         Basically, government employees and officials respond to the government\xe2\x80\x99s Ethical law (see            B.2.4             Issues noted at PA3.a and\n    ethical     requirements     and    B.2.4) and transparency law.                                                                                            PA3.a\n    regulations      that    oversee                                                                                                          B.2.5\n    government officials                Ethical Requirements:\n                                          1. Declaracion Jurada: As part of the laws, certain government officials are required to file a\n                                             document when they join the government where they list the goods that they own when\n                                             they join the government so that the government can determine if their assets increased\n                                             while they were part of the government. The purpose is to check that government officials\n                                             did not enrich themselves while working for the government. Please note that testing of\n                                             this law was completed at 4.6 below PA3.a\n                                          2. The ethic\xe2\x80\x99s Tribunal: The government also has established a tribunal of ethics with the\n                                             purpose of reducing fraud. On 04/24/12, the president of the tribunal took place. However,\n                                             the tribunal has not been fully functional as of yet. Please note that testing of this section\n                                             was done at 4.1 through 4.5 at PA3.a\n                                          3. Transparency Law: This law has the purpose to make access to public institutions\n                                             information available to the public. This translates on the public having access to request\n                                             information from the government such as bids and information on direct procurement\n                                             entered into by governmental institutions. Please note that further testing of this law was\n                                             done in the procurement section\n1.3 Confirm that government officials   During our review, we noted that MARN does not have a process for determining and                     Schedule I-A      Issue noted:\n    have develop a process for          evaluating risk and its potential impact on the entity and its programs.                              B.2.1             The entity has not established a\n    assessing risk, which includes:     Basically, the government develops its yearly budgets based on the budgets of the previous                              process       of      assessing,\n    - Risk identification, including    years plus an adjustment due to inflation. Utilization of resources from the government (e.g.:                          mitigating, monitoring risk and\n      impact to projects and the        employees) is not tied to programs or achievable results                                                                the impact that risk would have\n      objectives of the entity                                                                                                                                  on the entity achieving its\n\n                                                                                                                                                                                   35 \n\n\x0cFIRST CRITERION:                           MANAGEMENT CONTORL ENVIRONMENT\nQuestions to evaluate the                  Observations of the author, based on the analysis of available documents and enquiry                Reference to           Assessment of the Author\ncompliance with the criterion              of the entity subject to assessment (i.e., based on inquiry, interview, observation or              documents (copy\n                                           testing)                                                                                            attached)\n\n\n\n     - Risk mitigation                                                                                                                                                objectives as noted at B.2.1\n2.   Organizational           Structure,   We reviewed reporting lines and delegation of authorities in the banking, procurement and IT        See procurement, IT    See procurement, IT            and\n     delegation of       authority and     sections.                                                                                           and          Banking   Banking sections below\n     responsibility                                                                                                                            sections below\n2.1 Review organizational charts,\n    reporting lines and requirements\n    and determine its impact to the\n    project.\n\n2.2 Review policies and procedures to      During our review, we noted that there is only one set of policies and procedures applicable to     See HR Section         Issues noted at HR Section\n    enforce segregation of duties          all employees including governmental officials; therefore, this step was completed in the HR\n    among government officials             section at HR Section\n2.3 Obtain an understanding of any         1. Quinquenial Plan: The government of El Salvador utilizes the quinquenial plan as the             B.2.6                  Issues noted in the Audit\n    system of checks and balances             means to review the performance of various government officials and how its meeting its                                 section of this document.\n    such as committees and inter-             plans for the 5 years that the government of El Salvador is in place. This process does not\n    agency oversight and assess its           seem to be efficient or productive. The reason for this assessment is that In reviewing the\n    effectiveness                             plan, it does seem to be indicate that the review process is more of a political tool used to\n                                              state what the government of El Salvador under the current administration is doing well and\n                                              accomplishing what it set up to do for the people rather than as a tool to become aware of\n                                              any issues with the current administration.\n                                           2. Financial Audits: Each governmental institution is required to go through various audits.\n                                              At a minimum, each institution is required to go through a financial audit to determine if the\n                                              officials in charge of the entity are complying with laws and regulations. We have requested\n                                              documentation for financial audits and will complete the review in the audit section of this\n                                              questionnaire.\n2.4 Assess      government   officials\xe2\x80\x99    Projects are handled via the GOES general budget or special accounts for those being funded         None                   No issues noted\n    ability to act independently from      by international donors.\n    other government entities to\n    achieve project goals                  MARN has the ability to act independently from other government entities and complete its\n                                           projects unless they are being led by other government entities such as the ministry of\n                                           agriculture (MAG).\n\n3.   Policies and Procedures               During our review, we noted that there is only one set of policies and procedures applicable to     See HR Section         Issues noted at HR Section\n                                           all employees including governmental officials; therefore, this step was completed in the HR\n3.1 Review                 governance      section at HR Section\n    documentation,         government\n    officials policies and procedures\n    and determine whether they are\n\n                                                                                                                                                                                          36 \n\n\x0cFIRST CRITERION:                           MANAGEMENT CONTORL ENVIRONMENT\nQuestions to evaluate the                  Observations of the author, based on the analysis of available documents and enquiry              Reference to      Assessment of the Author\ncompliance with the criterion              of the entity subject to assessment (i.e., based on inquiry, interview, observation or            documents (copy\n                                           testing)                                                                                          attached)\n\n\n\n    complete (i.e.: at a minimum, the\n    documentation should include\n    details on compliance with ethical\n    requirements,     segregation    of\n    duties, use of government assets,\n    compliance with anti-corruption\n    laws, travel and entertainment,\n    leave and sick time, benefits,\n    evaluations       and       dispute\n    resolution)\n\n3.2 Confirm that entity has set up         During our review, we noted that there is only one set of policies and procedures applicable to   See HR Section    Issues noted at HR Section\n    proper policies to protect assets      all employees including governmental officials; therefore, this step was completed in the HR\n    from government officials (e.g.:       section at HR Section\n    checks cannot be signed by\n    government officials or require two\n    signatures,    officials    cannot\n    approve their expense reports,\n    family members are excluded\n    from competing in bids, etc.)\n\n3.3 Develop an understanding of the        During our review, we noted that there is only one set of policies and procedures applicable to   See HR Section    Issues noted at HR Section\n    records retention policies and         all employees including governmental officials; therefore, this step was completed in the HR\n    confirm that policies clearly define   section at HR Section\n    records retentions, including the\n    types of documents to be\n    retained, applicable periods and\n    destruction policies.\n\n4. Ethics and Fraud Detection              As noted in section 1.2, the government has established the Law of Ethics (see PA3.a)             Schedule I-C      Issues noted:\n4.1 Confirm that the entity has a                                                                                                            Schedule I-D      1. MARN does not have a\n    process for monitoring and                                                                                                                                     process    for    log     in\n    investigating complaints about         We tested the process for investigated complaints as noted at Schedule I-D and Schedule I-C.                            complains or investigations.\n    potential fraud, misuse of funds.      Issues were noted                                                                                                   2. MARN has not established\n    The process should include the                                                                                                                                 a manual regarding its\n                                           During our review, we noted that the Ethics Law requires the establishment of a commission\n    following:                                                                                                                                                     policies and procedures\n                                           board at each government institution. Although MARN has established a Commission Board,\n    - Process for receiving and                                                                                                                                    related to the ethics and\n                                           we noted that meetings of the Board have not been documented. We also noted that one of\n      processing complaints (e.g.:                                                                                                                                 transparency law\n                                           the board members representing employees is a park ranges located in a remote place and\n      hotline)                                                                                                                                                 3. The ethics law has the\n\n                                                                                                                                                                                  37 \n\n\x0cFIRST CRITERION:                            MANAGEMENT CONTORL ENVIRONMENT\nQuestions to evaluate the                   Observations of the author, based on the analysis of available documents and enquiry            Reference to      Assessment of the Author\ncompliance with the criterion               of the entity subject to assessment (i.e., based on inquiry, interview, observation or          documents (copy\n                                            testing)                                                                                        attached)\n\n\n\n    - Process         for      protecting   cannot easily participate in Board meetings                                                                           following weaknesses:\n      whistleblowers                                                                                                                                            a. It does not permit any\n    - Process       for    investigating                                                                                                                            complaint to be filed in\n      complaints                                                                                                                                                    anonymity as it requires\n    - Process      for    making      the                                                                                                                           persons filing complaints\n      resolution       of     complaints                                                                                                                            to have to present them\n      available to the public                                                                                                                                       physically in person at\n                                                                                                                                                                    the tribunal\n                                                                                                                                                                b. It does not provide any\n                                                                                                                                                                    protection to\n                                                                                                                                                                    whistleblowers\n                                                                                                                                                                c. It does not define certain\n                                                                                                                                                                    elements such as leave\n                                                                                                                                                                    or detachment from\n                                                                                                                                                                    officials from their duties\n                                                                                                                                                                    while investigation takes\n                                                                                                                                                                    place if applicable, report\n                                                                                                                                                                    requirements and\n                                                                                                                                                                    publishing of results,\n                                                                                                                                                                d. Sanctions are not set up\n                                                                                                                                                                    to discourage\n                                                                                                                                                                    inappropriate behavior as\n                                                                                                                                                                    the cost of sanctions is\n                                                                                                                                                                    not set up to be equal or\n                                                                                                                                                                    greater to the damage\n                                                                                                                                                                    caused. The law basically\n                                                                                                                                                                    establishes a ceiling\n                                                                                                                                                                    totaling the equivalent of\n                                                                                                                                                                    40 minimum salaries\n                                                                                                                                                                    which may not\n                                                                                                                                                                    discourage certain\n                                                                                                                                                                    actions where the value\n                                                                                                                                                                    of the wrong may exceed\n                                                                                                                                                                    the cost of sanction.\n4.2 Review the list of complaints filed\n    in the last 2 years and select a        We obtained a list of complaints filed and completed the testing as documented at Schedule I\xc2\xad   Schedule I-D.     No issues noted\n    sample for testing and determine        D. No issues were noted during the testing\n    that:\n    - Any recommendations from the\n\n                                                                                                                                                                                 38 \n\n\x0cFIRST CRITERION:                         MANAGEMENT CONTORL ENVIRONMENT\nQuestions to evaluate the                Observations of the author, based on the analysis of available documents and enquiry             Reference to      Assessment of the Author\ncompliance with the criterion            of the entity subject to assessment (i.e., based on inquiry, interview, observation or           documents (copy\n                                         testing)                                                                                         attached)\n\n\n\n      investigation(s) were addressed\n    - Complaints were resolved timely\n4.3 Review      the      process   of    As noted in section As noted in section 1.2, the government has established the Law of Ethics    Schedule I-D.     No issues noted\n    coordinating    review of     any    (see PA3.a). Complaints reviewed by the ethics committee at MARN can be referred to the\n    complaints with other agencies as    Ethics Tribunal. However, we did not find evidence that any complaints have been forwarded\n    applicable    (e.g.:   Government    to the Ethics Tribunal\n    Ethics Tribunal \xe2\x80\x93 GET, the\n    Supreme Court, etc.)\n4.4 Review training requirements as\n    they relate to ethics and fraud      We discussed training requirements. Under the new law, each institution is required to provide   None              No issues noted\n    awareness among members of           training for its employees at least annually.\n    the entity. Perform the following    We noted that MARN is in the process of planning training for its employees.\n    testing:\n    - Confirm that ethics, fraud\n       awareness and reporting is\n       provided to employees at least\n       yearly\n    - Confirm that ethics training\n       covers aspects related to\n       investigation of complaints and\n       applicable laws\n4.5 Review the complaint mechanism:\n    - Confirm that MARN has a            We requested a copy of MARN\xe2\x80\x99s policies and procedures to process complaints. MARN does           B.2.4             Issues noted:\n       mechanism to receive              not have its own policies and procedures. In the place of its own policies and procedures, we\n                                         received a copy of the Ethics law. As noted in section 4.1 above, we noted some issues as        B.2.1             1.   MARN does not have a\n       complaints                                                                                                                                                process    for   login   in\n    - Confirm that complaints are        documented.\n                                                                                                                                                                 complains or investigations\n       forwarded to the applicable                                                                                                                               as noted on section PA3.a.\n       agency\n    - Confirm that the applicable                                                                                                                           2.   MARN has not established\n       agency reviews and                                                                                                                                        a manual regarding its\n       prosecutes cases as applicable                                                                                                                            policies and procedures\n    - Review the mechanism to                                                                                                                                    related to the ethics law as\n       make the public aware of the                                                                                                                              noted on section PA3.a.\n       outcome of any complaints\n    - Confirm that agency handing\n       complains is properly staff\n    - Is the agency independent?\n    - Do the procedures provide for\n\n                                                                                                                                                                                39 \n\n\x0cFIRST CRITERION:                         MANAGEMENT CONTORL ENVIRONMENT\nQuestions to evaluate the                Observations of the author, based on the analysis of available documents and enquiry             Reference to        Assessment of the Author\ncompliance with the criterion            of the entity subject to assessment (i.e., based on inquiry, interview, observation or           documents (copy\n                                         testing)                                                                                         attached)\n\n\n\n       fairness and due process?\n4.6 Obtain a copy of the \xe2\x80\x9cDeclaracion\n    of Patrimonio\xe2\x80\x9d related to the \xe2\x80\x9cLey   We requested a listing of the individuals who had filed a wealth declaration which is required   C.2.23 and C.2.21   Issue noted:\n    Sobre Enrequecimiento Ilicito of     to avoid officials from enriching themselves from their government jobs. We inquired as to why\n                                         the minister and vice-minister were not included in the list and were told that they were not                        Human resources does not\n    any applicable personnel of                                                                                                                               track    that  all  applicable\n    MARN:                                aware if the President had required such a document from these officials but they were not\n                                         located in the ministry\xe2\x80\x99s Human Resources files as noted at C.2.23                                                   employees     or   government\n    - Ensure that applicable forms                                                                                                                            officials file the applicable\n       were filled out timely                                                                                                                                 documentation to ensure that\n                                                                                                                                                              they are not abusing their\n                                                                                                                                                              positions.\n\n\n\n\n                                                                                                                                                                                40 \n\n\x0c                                                             Appendix IV\n\n\n\n\n\t\n\n\t\n\n\n    SECOND CRITERION:\n\n       OPERATIONS\n\n\n\n\n             Date of the assessment: \t   July 2012\n             Author of the assessment: \tIvan Magana,\n                                         Karla Hasbun,\n                                         Carlos Milla,\n                                         Blanca Ibarra and\n                                         Juan Carlos Milla\n\n\n\n\n                                                                     41\n\x0cSECOND CRITERION:                            BUDGET EXECUTION\nQuestions to evaluate the                    Observations of the author, based on the analysis of available documents and enquiry            Reference to          Assessment of the Author\ncompliance with the criterion                of the entity subject to assessment                                                             documents (copy\n                                                                                                                                             attached)\n\n\n                                             As documented in the narrative in the conclusions:\n1.   Human resources management              1) There is no salary, grades or wage policy                                                    Narrative: C.2.1      We noted one issue:\n1.1 Review policies and procedures for                                                                                                       1.     Reglamento     1. Anti-corruption laws and\n    the human resources process for          Manuals provided by MARN including policies and procedures were reviewed and we found           Interno de Trabajo    procedures for reporting waste\n    completeness. At a minimum,              policies and procedures for all the areas except the following:                                 (Internal     work    and abuse are well defined but\n    confirm that the policies include the     Exception 1 - Promotions are established in the manual                                         manual) ( C.2.4).     there is just one article for whistle\n    following areas: compliance with          "Reglamento Interno de Trabajo" (pg. 5) but in the                                                                   blower protection. See Art. 51.c.\n    ethical requirements, use of              Interview they told us that in reality they don\'t have                                         2. Programa de        pg.     29     "Ley     de     \xc3\x89tica\n    government assets, compliance             Promotions. What they can do is participate as candidate for                                   sugerencias,          Gubernamental."\n    with       anti-corruption      laws,     another position. \xe2\x80\x93                                                                            ideas de mejora y\n    promotions,       procedures       for    This exception is considered a deficiency that does                                            quejas. (C.2.7).\n    grievance, forms to be used by            not have an impact on a program.                                                               3.   Manual      de\n    employees, advances, travel and           Exception 2 - Advances is not applicable, we didn\'t find                                       Procedimientos\n    entertainment, leave and sick time,       advances in any manual. - This exception is not                                                Administrativos.\n    benefits, evaluations and process         considered a deficiency.                                                                       (C.2.8).\n    for reporting fraud, including whistle    Exception 3 - In the "Reglamento Interno de Trabajo"\n    blower protection                         pg. 19 & 20 manual they indirectly states they shouldn\'t                                       4. Ley de \xc3\x89tica\n                                              commit fraud or abuse. But there is not an anti-corruption                                     Gubernamental.\n                                              laws and procedures for reporting waste and abuse, this                                        (C.2.5).\n                                              is stated in the "Ley de Etica Gubernamental" -\n                                              This exception is not considered a deficiency.\n                                              Exception 4 - Anti-corruption laws and procedures\n                                              for reporting waste and abuse are well defined but there\n                                              is just one article for whistle blower protection. See\n                                              Art. 51.c. pg. 29 "Ley de Etica Gubernamental." \xe2\x80\x93\n                                              This is reported as an issue.\n1.2 Obtain an understanding of any           As documented in the narrative in the following conclusions:                                    Narrative: C.2.1      Issue noted:\n    monitoring tools available to            2) They do not have the proper number of employees to cover projects. If they need              None     for    the   1. They don\xe2\x80\x99t have any\n    management to manage the                      expertise in an area, consultants are hired, salaries are high. There are employees that   monitoring tools.     monitoring tools available to\n    human resources process (e.g.:                work indirectly on the projects but not indirect costs are charged to projects.            1.Job descriptions    manage the human resources\n    turnover ratio, resource allocation,     3) They do not have a turnover rate, but they have the data to obtain the rate.                 for the following     process.\n    utilization,    pool     of  expertise   4) Employees and consultants do not record their work hours in a timesheet. They only           positions:            2. Employees and consultants do\n    available to projects, etc.) and              have a record of attendance.                                                               1.1 Gerente de        not record their work hours in a\n    confirm that:                            As documented in the testing schedule the majority of the employees have the right skill\xe2\x80\x99s      Cambio Clim\xc3\xa1tico      timesheet. They only have a\n    - There are sufficient employees         match. With the following exceptions:                                                           y          Asuntos    record of attendance.\n         to carry out their work             Exception 1 - MARN does not have a salary policy according with the different jobs levels.      Estrat\xc3\xa9gicos. See     We noted 1 Issue in the testing\n    - Efficiency is tracked                  The government has hired a consulting firm to prepare a wage policy for all public employees.   attachment No. 6      schedule:\n    - They have the right skill\xe2\x80\x99s match      The consulting firm is going to provide the salary policy in 3 months (December 2012) - This    (C.2.15)              1. We noted that the description\n                                             exception is not considered a deficiency.                                                       1.2     Jefe     de   of the requirements for the job for\n                                             Exception 2 - Exception 2.1 - We noted that for three out of five employees selected for        Unidad de Cultura     employees 2, 4, and 5, did not\n\n\n                                                                                                                                                                                          42 \n\n\x0cSECOND CRITERION:                         BUDGET EXECUTION\nQuestions to evaluate the                 Observations of the author, based on the analysis of available documents and enquiry                Reference to            Assessment of the Author\ncompliance with the criterion             of the entity subject to assessment                                                                 documents (copy\n                                                                                                                                              attached)\n\n\n                                          testing, the description of the requirements for the job did not match the qualifications of the    Ambiental. . See        match the qualifications of the\n                                          candidates, as follows:                                                                             attachment No. 7        candidates, in addition, the\n                                          Employee 2) Sonia del Carmen Baires (Directora de Cambio Clim\xc3\xa1tico y Asuntos                        (C.2.15)                qualifications could have been\n                                          Estrat\xc3\xa9gicos): The job description required a Post-graduate degree and she just have a              1.3          Director   modified to fit the candidate\xc2\xb4s\n                                          bachelor in Social Science.                                                                         General           de    background.\n                                          Employee 3) Olga Luc\xc3\xada Rodr\xc3\xadguez (Jefe Unidad Cultural Ambiental): The job description              ordenamiento,\n                                          required a Post-graduate degree (master\'s degree) and a specialty in sociology, anthropology        evaluaci\xc3\xb3n          y\n                                          or social science; she has the master\'s degree. OK                                                  cumplimiento.       .\n                                          Employee 4) Francisco Ernesto Dur\xc3\xa1n Garc\xc3\xada (Gerente Cambio Cl\xc3\xadm\xc3\xa1tico): The job                      See      attachment\n                                          description required an Engineer or bachelor degree in social areas (OK) and a post-graduate        No. 8 (C.2.15)\n                                          in environment; he does not have the post-graduate degree.                                          2. Resume from\n                                          Employee 5) Silvia Margarita Hern\xc3\xa1ndez de Larios (Director General de ordenamiento,                 Silvia     Margarita\n                                          evaluaci\xc3\xb3n y cumplimiento): The job description required an Agronomic, Civil, Industrial            Hern\xc3\xa1ndez         de\n                                          Engineer and a master\'s degree in natural resources, she is not an engineer, she has a              Larios.          See\n                                          bachelor in economics and she is finishing the master\'s degree.                                     attachment No. 9\n                                          2.2 - In the job description the education requirement does not match the skills required for the   (C.2.9).\n                                          job for instance Olga Lucia Rodriguez position requires a master\xe2\x80\x99s degree and a bachelor\xe2\x80\x99s\n                                          degree in social science, anthropology or sociology (Her position is "Jefe Unidad Cultural\n                                          Ambiental"), on the contrary her boss\' (Sonia del Carmen Baires) position requires only a\n                                          bachelor\'s degree in business administration, economy or industrial engineering. The\n                                          experience for both of them is mostly consulting works, OK.       This is reported as an issue\n                                          (Issue #1)\n1.3 Obtain a listing of recently hired\n    new employees since the new           According to the testing, the majority of the staff is hired using competitive procedures see       1. MARN internal         We noted 3 Issues in the testing\n    minister was appointed and make a     attachment No. 5 (Include link), had proper qualifications to perform their duties, approvals for   work       manual,      schedule:\n    sample selection and test the         hiring new employees were properly documented and they had the appropriate experience               chapter III, article\n                                          fitting their job descriptions, except the ones that are politically appointed. We found the        #9.            See      1. The minister can directly\n    following:                                                                                                                                                        choose employees based on his\n    - Staff are hired using competitive   following exceptions in this area:                                                                  attachment No. 1\n                                                                                                                                              (C.2.13).               own judgment and it is permitted\n        procedures                        Exception 1 - There was not a competitive process because it is a position that reports                                     by the law.\n    - Personnel hired had the proper      directly to the minister who is politically appointed. The MARN internal manual, chapter III,       2.    Manual     for\n        qualifications to perform their   article #9 (see attachment No. 1), has direct hiring based on the minister needs or personal        hiring          and     2. We noted that the description\n        duties                            preferences based on trust. He can hire different positions based on this article: directors,       selecting               of the requirements for the job for\n    - Approvals for hiring new            managers, auditors, coordinators, and other positions. This is also stated in the "Recruitment      personnel         at    2-3     did   not    match     the\n        employees      were    properly   and Selection of MARN Personnel Manual" see section IV Policy, 2nd paragraph (see                   MARN.        Chapter    qualifications of the candidates;\n        documented                        attachment No. 2). In this last manual it just references the work internal manual - This is\n                                                                                                                                                    nd\n                                                                                                                                              IV, 2 paragraph.        in addition, the qualifications\n    - Personnel have the appropriate      reported as an issue (Issue #1)                                                                     See      attachment     could have been modified to fit\n        experience fitting their job                                                                                                          No. 2 (C.2.10).         the candidate\xe2\x80\x99s background.\n        descriptions                      Exception 2 - The description for the qualifications for the job is too general and could be\n                                          fulfilled by almost anyone (see attachment No. 4 pg. 7/40). Also the Manual for positions and       3. Memorandum           3. The approval from the minister\n                                          functions could be done after they selected the candidate and they can adapt the                    from   General          was not found in the file.\n\n\n                                                                                                                                                                                            43 \n\n\x0cSECOND CRITERION:                              BUDGET EXECUTION\nQuestions to evaluate the                      Observations of the author, based on the analysis of available documents and enquiry                   Reference to          Assessment of the Author\ncompliance with the criterion                  of the entity subject to assessment                                                                    documents (copy\n                                                                                                                                                      attached)\n\n\n                                               qualifications according to the candidate qualifications, just because she is the minister\'s           Director to Chief\n                                               assessor - This is reported as an issue (Issue #2)                                                     of           Human\n                                                                                                                                                      Resources stating\n                                               Exception 3 - There was not an approval in writing from the minister for this candidate Ana            art. 7 \xe2\x80\x93 (f) of the\n                                               Maria Ester Mata de Bonilla (see attachment No. 4) - This is reported as an issue (Issue #3)           Internal       Work\n                                               Exception 4 - There was not a competitive process because it is a position that reports                Manual of MARN.\n                                               directly to the minister who is politically appointed. The position was not advertised, so it is not   See      attachment\n                                               documented, on the other hand, although the minister interviews her, this was not                      No. 3 (C.2.11).\n                                               documented. It is documented from the moment the minister selects the candidate and gives              4.           Human\n                                               the curriculum to human resources - This is reported as an issue (#1)                                  Resources file for\n                                               Exception 5 -The human resources employee file is complete from the moment the minister                Ana Mar\xc3\xada Ester\n                                               selects the candidate and gives the curriculum to human resources. The following procedures            Mata de Bonilla\n                                               were not documented: vacancies published in the local newspaper, pre-selection of candidate,           (Assessor for the\n                                               technical test, psychological test and interview, evaluation of test, and selection of employee        Organizational &\n                                               from 3 candidates. This process indicates that the minister directly selected the candidate            IT    area).   See\n                                               such as E1 and E4 - Issue noted (Issue # 1)                                                            attachment No. 4\n                                                                                                                                                      (C.2.12).\n                                               Exception 6 - The position was not published in the newspaper and the minister made the                Exceptions 1, 2, 3,\n                                               selection process from candidates that had previously submitted resumes - This exception is            4, and 5 apply to\n                                               not considered a deficiency.                                                                           this employee.\n                                               Exception 7 - The employee was already working at MARN as a consultant in a project that\n                                               ended and was hired again as a MARN employee in the same position (See attachment 3) \xc2\xad\n                                               This exception is not considered a deficiency.\n1.4 Obtain a listing of contractors for\n    the last 4 years and make a sample         Document testing down in purchasing at section 4 below documented at PA3.a                             See section      4    See section 4 below.\n    selection and test the following:                                                                                                                 below\n    - Contractors are hired using\n       competitive procedures\n    - Contractors hired had the\n       proper qualifications to perform\n       their duties\n    - Approvals for hiring new\n       contractors      were        properly\n       documented\n    - Contractors are not hired based\n       on their political affiliations\n                                               As documented in the test schedule. We noted 3 exceptions:\n1.5 Review the organizational chart            1 There was not a competitive process because it is a position that reports directly to the            Test    Schedule:     We noted 3 Issues:\n    and select samples from various                minister who is politically appointed. The MARN internal manual, chapter III, article #9,          C.2.3\n                                                                                                                                                                            1. The minister can directly\n\n                                                                                                                                                                                                   44 \n\n\x0cSECOND CRITERION:                          BUDGET EXECUTION\nQuestions to evaluate the                  Observations of the author, based on the analysis of available documents and enquiry                  Reference to       Assessment of the Author\ncompliance with the criterion              of the entity subject to assessment                                                                   documents (copy\n                                                                                                                                                 attached)\n\n\n    employees and confirm that their            has direct hiring based on the minister needs or personal preferences based on trust. He                            choose employees based on his\n    qualifications and experience agree         can hire different positions based on this article: directors, managers, auditors,                                  own judgment and it is permitted\n    with the grade level                        coordinators, and other positions. This is also stated in the "Recruitment and Selection of                         by the law.\n                                                MARN Personnel Manual" see section IV Policy, 2nd paragraph. In this last manual it just\n                                                references the work internal manual - This is reported as an issue (Issue #1)                                       2. We noted that the description\n                                           2 The description for the qualifications for the job is too general and could be fulfilled by                            of the requirements for the job for\n                                                almost anyone. Also the Manual for positions and functions could be done after they                                 2-3     did   not    match     the\n                                                selected the candidate and they can adapt the qualifications according to the candidate                             qualifications of the candidates;\n                                                qualifications, just because she is the minister\'s assessor - This is reported as an issue                          in addition, the qualifications\n                                                (Issue #2)                                                                                                          could have been modified to fit\n                                           3 There was not an approval in writing from the minister for this candidate - This is reported                           the candidate\xe2\x80\x99s background.\n                                                as an issue (Issue #3)                                                                                              3. The approval from the minister\n                                           4 The human resources employee file is complete from the moment the minister selects the                                 was not found in the file.\n                                                candidate and gives the curriculum to human resources. The following procedures were\n                                                not documented: vacancies published in the local newspaper, pre-selection of candidate,\n                                                technical test, psychological test and interview, evaluation of test, and selection of\n                                                employee from 3 candidates. This process indicates that the minister directly selected the\n                                                candidate such as E1 and E4 - Issue noted (Issue #1)\n                                           5 The human resources employee file is complete from the moment the minister selects the\n                                                candidate and gives the curriculum to human resources. The following procedures were\n                                                not documented: vacancies published in the local newspaper, pre-selection of candidate,\n                                                technical test, psychological test and interview, evaluation of test, and selection of\n                                                employee from 3 candidates. This process indicates that the minister directly selected the\n                                                candidate such as E1 and E4 - Issue noted (Issue #1)\n                                           6 The position was not published in the newspaper and the minister made the selection\n                                                process from candidates that had previously submitted resumes - This exception is not\n                                                considered a deficiency.\n                                           7 The employee was already working at MARN as a consultant in a project that ended and\n                                                was hired again as a MARN employee in the same position - This exception is not\n                                                considered a deficiency.\n        a.    Review MARN\xe2\x80\x99s strategy       As documented in the narrative, they have no training because there is no budget for training\n              for train staff to develop   in the Ministry of finance. However, there is an institutional network of training (responsible for   Narrative: C.2.1   Issue noted: MARN does not\n              capacity:                    training in all ministries) and for English training. The European Academy gives English                                 have a strategy to train staff.\n   -   Review the type of ongoing          classes in the Ministry and every employee interested pays for them.\n       training that is provided to\n       address        any       employee\n       weaknesses\n   -   Review all trainings that are\n       provided for all employees\n       during the year\n\n\n                                                                                                                                                                                          45 \n\n\x0cSECOND CRITERION:                           BUDGET EXECUTION\nQuestions to evaluate the                   Observations of the author, based on the analysis of available documents and enquiry                 Reference to         Assessment of the Author\ncompliance with the criterion               of the entity subject to assessment                                                                  documents (copy\n                                                                                                                                                 attached)\n\n\n2   Budgeting,     accounting       and     We obtained copies of the policies and procedures for the Government of El Salvador (GOES)           Narrative        \xe2\x80\x93   Issue     noted:     During     our\n    financial reporting                     and performed a walkthrough of the process as noted in the narrative.                                Budget: C.2.20       meetings, we became aware that\n                                                                                                                                                                      the GOES develops the budget\n2.1 Review policies and procedures for      The policies included a process for approving the budget which has more than one tier as                                  based on the prior year plus\n    budget, accounting and financial        described by the law (one at the ministry level and one at the finance ministry or government                             adjustments due to inflation; but,\n    reporting cycles and review for         level).                                                                                                                   this is done based on salaries\n    completeness (i.e.: confirm that the                                                                                                                              and it is not done at the project\n    policies include approval process,      We noted that the GOES develops the budget based on the prior year plus adjustments due to\n                                            inflation; but, this is done based on salaries and it is not done at the project level. Currently,                        level. Currently, there is a plan to\n    reporting deadlines, reporting lines,                                                                                                                             move towards a budget that will\n    access to computer software,            there is a plan to move towards a budget that will be project driven in the next 5 years \xe2\x80\x93 This is\n                                            noted as an issue.                                                                                                        be project driven in the next 5\n    delegation of duties, etc.)                                                                                                                                       years.\n2.2 Review process flows for the\n    budgeting, accounting and financial     We obtained a budget flow for the budgeting process as noted in the narrative. The budget            Narrative        \xe2\x80\x93   No issues noted\n                                                                                                  th\n    processes and evaluate the              process begins in April and ends prior to September 30 when the draft budget will summit to          Budget: C.2.20\n    effectiveness of various controls       the legislative approval.\n                                                                                                                                                 Schedule II-D\n    used in this process                    We tested the controls for the budget process in the test plan and noted the deficiencies noted\n                                            in the observations\xe2\x80\x99 column.                                                                         Schedule II-E\n\n\n\n2.3 Obtain system flows or flowcharts       As noted above, this has been documented in the narrative. We identified controls and are            Narrative        \xe2\x80\x93   Conclusions noted on 2.4 below\n    of the budget, accounting and           testing them as noted in 2.4 below.                                                                  Budget\n    financial   reporting       systems.\n    Determine     controls      available                                                                                                        See 2.4 below\n    throughout the process and\n    determine their functionality\n2.4 For the budget cycles, review\n    controls over projects to confirm       We met with Carla Canas (CC), UFI Manager at MARN, and discussed controls over the                   Narrative Budget:    Issues noted as follows:\n    that:                                   budget process as documented in the narrative.                                                       C.2.20\n                                                                                                                                                                      1. Reallocation or reprograming\n    - Budgets are approved timely           When it comes to timeliness, during our initial testing (as noted in the narrative), we noted that   Schedule II-D           of funds to different budget\n    - Budgets are reviewed and              they have been preparing the budget timely.                                                                                  areas is done without the\n       approved timely                                                                                                                           Schedule II-E           appropriate level of approval.\n    - Funds and budgets for specific        All changes made during the fiscal year are tracked with the Programming of the Budget                                       For instance, UFI may make\n       projects are restricted from         Execution Report (PEP). This report serves as monitor and control execution, comparing the                                   budget reallocations without\n       other use                            planned budget with the actual execution.                                                                                    the appropriate approval while\n    - Deviations from the original          According with the interview with CC (UFI Manager) every major reallocation in the budget                                    reprograming of funds are\n       budget are tracked and properly      required approval from Directorate General of Budget following the mandatory procedures.                                     approved by the UPC manager\n       approved                                                                                                                                                          without the required next level\n                                                                                                                                                                         of approval (See Schedule II\xc2\xad\n\n\n                                                                                                                                                                                            46 \n\n\x0cSECOND CRITERION:                           BUDGET EXECUTION\nQuestions to evaluate the                   Observations of the author, based on the analysis of available documents and enquiry                Reference to        Assessment of the Author\ncompliance with the criterion               of the entity subject to assessment                                                                 documents (copy\n                                                                                                                                                attached)\n\n\n                                                                                                                                                                      D)\n                                                                                                                                                                    2. MARN is currently utilizing a\n                                                                                                                                                                       manual notebook as an\n                                                                                                                                                                       informal mechanism to track\n                                                                                                                                                                       shortfalls in budget funding\n                                                                                                                                                                       rather    than    utilizing   the\n                                                                                                                                                                       accounting      system      (See\n                                                                                                                                                                       Schedule II-D).\n2.1 Off-budget spending\n     - What is the extent of extra-         The extra budgetary resources do not require legislative approval if they came from                 Narrative Budget:   No issues     noted    during   the\n        budgetary funds, special funds      FOMILENIO, FONAES, Grants from donors community directly management by the Ministries,              C.2.20              testing.\n        and separate or supplementary       and earning incomes generated by providing goods and services.\n        budgets?\n     - Who benefits from them?\n2.5 Obtain an understanding of how                                                                                                                                  Issue noted:\n    special    accounts      are    used,   These special projects are managed separately by each entity (e.g.: MARN) and are ruled by          Narrative Budget:   We noted that unused Funds in\n    including controls to:                  the law mentioned in the agreement/contract with the donor. As we note in the annual report         C.2.20              the GOES budget can be\n    - Implement and maintain special        MARN had more than 20 cooperation projects in 2010.                                                                     misappropriated        by      the\n        accounts                            We found that projects are handled directly in separate bank accounts. Many projects have                               government if unused in the year\n    - Monitoring special accounts           two bank accounts (saving and operations accounts). Donor agencies transferred funds to the                             when budgeted. This may impact\n    - Restricting funds in special          saving accounts and the institutions have distributed funds using check accounts. Please refer                          programs that have budgets\n        accounts (restrictions placed on    to the bank accounts section of the testing for further details on controls over bank accounts.                         extending for more than one\n        accounts)                                                                                                                                                   year. In theory a project may lose\n                                            If the donations has included in the general budget, in theory, this funds will be captured by                          its funds if it were to donate\n                                            the treasury in case they would not be used in the current budget year. In the past, MARN has                           funds that were placed directly\n                                            cases of misappropriated funds by the treasury.                                                                         into    the     GOES       budget.\n                                                                                                                                                                    Furthermore, political changes\n                                                                                                                                                                    may result in changes to special\n                                                                                                                                                                    accounts enabling GOES to\n                                                                                                                                                                    misappropriate unused funds\n                                                                                                                                                                    even if they are from projects\n                                                                                                                                                                    (See Budget Iss App).\n2.6 Develop an understanding of             We found that the major responsible of execution of budget is the Directorate of Budget             Narrative Budget:   No issues     noted    during   the\n    controls to ensure segregation of       (Treasury) who leads, regulates, and control the formulation, implementation, monitoring and        C.2.20              testing.\n    duties are enforced to ensure           evaluation of general budget. The General Director has responsible to report to Minister of\n    budgets are followed                    Finance on a regular basis the results of execution of budget, including recommendations for\n                                            corrective action to deviations.\n                                            In the case of the public institutions, each entity is responsible to execute the budget that has\n\n                                                                                                                                                                                          47 \n\n\x0cSECOND CRITERION:                            BUDGET EXECUTION\nQuestions to evaluate the                    Observations of the author, based on the analysis of available documents and enquiry            Reference to        Assessment of the Author\ncompliance with the criterion                of the entity subject to assessment                                                             documents (copy\n                                                                                                                                             attached)\n\n\n                                             been allocated. The UFI manager has the responsibility to inform to the highest level of\n                                             authority about the follow up on the budget.\n2.7 Do financial regulations provide for\n    additions to budgets during the          We note that in recent years, MARN has received extraordinary resources form international      Narrative Budget:   No issues      noted   during   the\n    year? If so                              cooperation reaching more than three-quarters of total ordinary funds for a fiscal year. The    C.2.20              testing.\n     - What is the procedure?                trend is upward to get more extraordinary funds and there are not prohibitions or ceiling to\n     - Is there a limit for which            acquire these funds.\n        approval is not required?\n2.8 Obtain the chart of accounts for the     We reviewed the financial statements and did not see any accounts that merit any further        C.2.16              Issue noted:\n    MARN and the balance sheet for           review.\n    some quarters and confirm that:                                                                                                                              MARN does not reconcile\n                                             When it comes to account balances, we noted that MARN utilizes the SIAF system for                                  purchases done manually in\n    - It does not contain accounts that      purchases and assets while the SAFI system from the ministry of Finance for their accounting                        Excel and in the system SIAF to\n       seem strange or could be              needs. We noted that data kept in the SIAF and Excel (purchases) is not reconciled to the                           the ones in the Accounting\n       misused                               SAFI accounting system                                                                                              system (SAFI)\n    - Major account balances are\n       reconciled timely (e.g.: cash         When it comes to the balance sheet, the system is mapped to the financial statements.\n       balance to accounts making up\n       cash, payroll accounts, assets,\n       etc)\n    - The balance sheet per MARN is\n       reconciled to the one from the\n       financial statement\n    - The balance sheet is mapped to\n       the financial statements\n2.9 What is the extent of spending by\n    autonomous agencies in the               MARN has two special funds: the Environment fund of El Salvador (FONAES) and the                Narrative      \xe2\x80\x93    No issues      noted   during   the\n    budget for MARN? Does MARN               Environment Foundation of Santa Ana project. These projects have received transfers             Budget              testing.\n    have any controls over such              according to the budget programming PEP. Institutions have provided the supporting\n    spending?                                documents in order to be available to receive these funds.\n                                             We note that through this procedure, the Ministry ensures that funds have been used were\n                                             promptly budget.\n2.10When it comes to budget\n    transparency and access to               The government has many web sites to inform about fiscal transparency (budget and                                   Issue note: There is no\n    information, what is the degree of       expenditures), procurement process (COMPRASAL), fiscal sector data (BCR), and more                                  regulated      procedure       for\n    public access to key fiscal              recently a special web site for transparency (Government Transparent).                                              consulting public opinion on\n    information?                                                                                                                                                 budget,     although     informal\n                                             We found a citizen\xe2\x80\x99s guide has made by Ministry of Finance to provide a simple, user-friendly                       discussions    are   held    with\n     - Is it limited to raw fiscal data on   explanation of the components of general budget and summary of the main budget figures.\n        an official website?                                                                                                                                     organizations representing the\n                                             This guide was published and broadly disseminated.                                                                  public and enterprise sector and\n\n                                                                                                                                                                                        48 \n\n\x0cSECOND CRITERION:                          BUDGET EXECUTION\nQuestions to evaluate the                  Observations of the author, based on the analysis of available documents and enquiry               Reference to        Assessment of the Author\ncompliance with the criterion              of the entity subject to assessment                                                                documents (copy\n                                                                                                                                              attached)\n\n\n     - Does the government produce a       However, we noted that the public opinion is generally not consulted sufficiently in terms of                          other think tanks.\n       \xe2\x80\x98Citizens\xe2\x80\x99 Guide\xe2\x80\x99 to the Budget?    plans for budget and its modifications. MARN hasn\xe2\x80\x99t any procedures to drive a citizen\xe2\x80\x99s\n     - Are there opportunities for the     consulting process about the allocation of funds and construction of their budget.\n       public to comment on and\n       review budgets before they are\n       formulated or approved?\n2.11When it comes to reserves\n    requirements in the budget             We note the MARN budget has increase in recent years and the special funds During                  None                No issues     noted   during   the\n     - Do financial regulations provide    development of a new budget, adjustments are made to the budget from the previous year                                 testing.\n       for inflation or other reserves?    due to inflation.\n     - If so, how are these reserves       There are not incremental rules in the budget. The general budget has a reserves or special\n       handled?                            allocations for emergencies purposes.\n\n2.12 Review controls over approval of      Monitoring the budget and its execution is extensive audited and oversight for many                Narrative       \xe2\x80\x93   No issues     noted   during   the\n    budgets.                               institutions including Internal Audit Unit of entities responsible for its execution, Court of     Budget (C.2.20)     testing.\n     - Is MARN solely responsible for      Accounts, Directorate of Budget as noted in the narrative.\n       budgetary control?                  As we mentioned above the major responsible of execution of budget is the Directorate of\n     - What monitoring tools are used      Budget (Minister of Finance) and each UFI manager has the responsibility for their entity\xe2\x80\x99s\n       by other agencies for evaluation    budget, which is further explained in the narrative.\n       purposes?\n     - How is over/under spending\n       reported to the responsible\n       government official? If so, are\n       those only above certain limits\n       reported?\n2.13Confirm how transfer of funds are\n    used by the ministry:                  The Directorate General of Treasury (DGT) gave a single treasury account to each entity and        Narrative       \xe2\x80\x93   No issues     noted   during   the\n     - Assess        what  degree     of   has authorized subsidiary bank accounts and managed by institutions.                               Budget (C.2.20)     testing.\n        flexibility MARN has to transfer   The DGT has established monitoring and oversights procedures to check the bank accounts\n        funds                              balances. Institutions must summit banks reconciliations and balance monitoring information\n     - What controls are in place to       on a regular schedule (For further details on the testing related to bank accounts, please refer\n        determine that funds are used      to Test Schedule II \xe2\x80\x93 Sheets J and K)\n        as intended\n                                           Each month, the institutional treasury (UFI) received programed funds from the Ministry of\n                                           Finance into a main bank account. Then the institutional treasury (UFI) transfer funds to\n                                           subsidiaries bank accounts in order to management the cash flow using electronic procedures\n                                           (such as token codes).\n2.14When it comes to accounting,\n    confirm that:                          Basis of accounting: GOES utilizes bases of accounting that uses both cash basis and               Schedule II-G       No issues were noted.\n\n\n                                                                                                                                                                                        49 \n\n\x0cSECOND CRITERION:                            BUDGET EXECUTION\nQuestions to evaluate the                    Observations of the author, based on the analysis of available documents and enquiry               Reference to      Assessment of the Author\ncompliance with the criterion                of the entity subject to assessment                                                                documents (copy\n                                                                                                                                                attached)\n\n\n     - The basis of accounting is            accrual (modified basis). This basis of accounting is other than GAAP and follows local laws.      Schedule II-F\n       clearly established and it follows    We did confirm that all the governmental units follow the same local accounting rules.\n       some clear and consistent                                                                                                                C.2.16\n       guidelines (e.g.: GAAP, local         Impact of local regulation on projects: Donor projects are handled separately including\n       GAAP, international standards)        with their own bank accounts. Since these projects are not part of the government budget,\n     - The basis of accounting are the       their accounts extend beyond one year. Accounting and reporting for these projects is done\n       same for all the various              using the government\xe2\x80\x99s local accounting system (SAFI) and may also require the use of\n       governmental units                    another accounting package if the donor requires it. When it comes to the financial statements\n     - Impact that local regulation has      prepared for projects, they may have to be done manually using Excel since the SAFI system\n       on the reporting of specific          has the ledger accounts established by the GOES that may not correspond to the accounts\n       projects or the use of special        required by a donor. Financial statements for donors are prepared in accordance with the\n       accounts                              donor agreements.\n     - Fund statements for the projects      Controls over Journal Entries: We tested the following controls over journal entries:\n       are     prepared      using     the   sequential numbering, controls over deletion of posted journal entries, field restrictions in\n       government software rather            journal entries, timing restrictions (no prior year postings) as documented at Schedule II-G. No\n       than being prepared manually          issues were noted\n     - Financial statements for projects\n       are prepared periodically             Additions to Chart of Accounts: We tested controls over additions to the chart of accounts\n     - Journal         entries         are   as documented at Schedule II-F. No issues were noted during the testing.\n       systematically numbered\n     - Additions to the chart of\n       accounts are controlled centrally\n     - Access to the accounting\n       system is restricted based on\n       duties\n2.15When it comes to the general\n    ledger, confirm that:                    MARN utilizes the SAFI accounting system maintained by Hacienda (Ministry of Finance) to           None              No issues noted\n     - There is a link between the           record all their accounting journal entries and produce their financial statements. According to\n       general     journal,    subsidiary    the Ministry of Finance, SAFI is utilized by most GOES entities (about 98%).\n       ledger and the general ledger         During our review, we confirmed that for payroll, a separate system is utilized (SIRH).\n     - Subsidiary       ledgers        are   However, the data from SIRH is uploaded to SAFI once a month.\n       reconciled to the general ledger\n                                             We noted that there are no subsidiary ledgers maintained in other systems that needed to be\n                                             reconciled.\n2.16\n        -\n3.     Collections, deposits and cash\n       funds                                 We reviewed policies and procedures related to the cash cycle as documented at Schedule II\xc2\xad        Schedule II-I     No issues   noted   during   the\n                                             I                                                                                                                    testing\n                                                                                                                                                C.2.24\n3.1 Review policies and procedures for\n\n                                                                                                                                                                                      50 \n\n\x0cSECOND CRITERION:                            BUDGET EXECUTION\nQuestions to evaluate the                    Observations of the author, based on the analysis of available documents and enquiry             Reference to      Assessment of the Author\ncompliance with the criterion                of the entity subject to assessment                                                              documents (copy\n                                                                                                                                              attached)\n\n\n    the cash cycle and review for            We confirmed that policies are in place and enforced.\n    completeness (i.e.: confirm that the\n    policies include controls over           We confirmed that tracking is done by project as individual accounts are maintained for each\n    access to cash and checks,               project.\n    reconciliation of bank accounts, use\n                                             We reviewed the process for selecting bank accounts and noted that MARN only utilizes one\n    of petty cash funds, segregation of\n                                             bank. MARN has a total of 55 bank accounts.\n    duties, etc.)\n     - Confirm that the policies are in\n         place and enforced\n     - Confirm that cash tracking can\n         be done by project by fund and\n         account\n     - Review         procedures      for\n         selecting banks. Is a single\n         bank used for all banking\n         needs?\n     - How are credit cards utilized?\n3.2 Review process flows for the cash        Process reviewed process flows for the accounting cycle and payments of expenses related to      C.2.24            No issues noted.\n    process      and     evaluate the        projects.\n    effectiveness of various controls\n    used in this process\n3.3 Confirm that there are controls over\n    cash       management       including    We discussed management controls over funds. Per MARN, account balances are invested in          C.2.24            No issues noted\n    investing accounts to generate           CD accounts and earn interest if the contract/agreement requires that funds be invested while\n    interest when not in use                 they await usage. CD accounts that earn interest are tracked as applicable for some projects\n      - Confirm    that     short    term    and interest earned is integrated as applicable.\n        investments      are      properly\n        tracked\n      - Investments are reconciled and\n        integrated into the accounting\n        records\n3.4 Confirm whether cash rationing has\n    been      imposed.    Develop      an    No cash rationing was noted.                                                                     None              No issues noted\n    understanding of the rules for           When it comes to the tracking of funds and budgets, this area is covered in the budget section\n    rationing cash                           of the testing. When it comes to the tracking of project funds, we noted that an accounting\n3.5 Confirm that there are sufficient        tech is responsible for tracking account balances and usages of cash for each individual\n    tracking tools to properly manage        project.\n    the cash needs of the projects and\n    the entity\n\n\n                                                                                                                                                                                   51 \n\n\x0cSECOND CRITERION:                           BUDGET EXECUTION\nQuestions to evaluate the                   Observations of the author, based on the analysis of available documents and enquiry              Reference to      Assessment of the Author\ncompliance with the criterion               of the entity subject to assessment                                                               documents (copy\n                                                                                                                                              attached)\n\n\n3.6 Review the potential impact of the\n    use of a single account act and the     GOES is in the process of undergoing a project that oversees the upgrade of the SAFI              None              Potential Issue:\n    impact to any projects managed by       accounting system used by most government institutions in El Salvador. This project is also\n                                            trying to implement the use of a single account. However, implementation of a single account                        Use of a single account is being\n    the entity:                                                                                                                                                 considered for the future. This\n    - Develop an understanding of any       would seem to require changes in regulation since all the payments including the ones for\n                                            special projects would have to be managed from one account rather than being managed from                           may negatively impact projects\n      treasury single account                                                                                                                                   as unused funds may be\n    - Does the entity use one single        various bank accounts as it currently is handled.\n                                                                                                                                                                misappropriated      by   GOES\n      bank for all accounts or various      Implementation of a single account may have an impact to the projects in the future. Currently,                     depending on how the law is\n      banks?                                donor programs/projects are managed using independent bank accounts that are not tied to                            written at the time.\n                                            the budged of the GOES. Changing to a single account may have an impact in that unused\n                                            funds may be misappropriated if not used during the year when they were designated. USAID\n                                            needs to assess the future impact of using a single account in light of the law at the time.\n\n3.7 Review controls over the cash           We reviewed and tested the process for recording cash adjustments as noted at Schedule II-K       Schedule II-K     No issues were noted\n    process to record adjustment to\n    cash balances and confirm that\n    adjustments to cash balances are\n    recorded timely\n\n3.8 Confirm that the budget and cash        When it comes to projects, tracking of the budget and cash is monitored by an accounting          None              No issues were noted\n    plans are integrated, taking account    tech. For projects, MARN sets up a spending plan which is monitored.\n    the timing of payments and updates\n    of cash during the year.\n\n3.9 Confirm that the entity uses an         When it comes to projects, tracking of the budget and cash is monitored by an accounting          None              No issues were noted\n    annual cash plan, which is updated,     tech. For projects, MARN sets up a spending plan which is monitored\n    setting out monthly cash inflows,\n    outflows,      and        borrowing\n    requirements\n                                                                                                                                                                Exceptions noted:\n3.10 Review controls over access to         We reviewed controls over access to the bank accounts. MARN maintains 55 bank accounts.           C.2.24            1. MARN utilizes an excessive\n     the cash account balances and          Bank accounts require two signatures for any checks or to transfer funds to pay vendors. We                            number of accounts which\n     confirm that access to the bank        tested controls over access to bank accounts as documented at Schedule II-J                       Schedule II-J\n                                                                                                                                                                   increase the likelihood of\n     accounts is limited and powers of                                                                                                                             fraud        and       creates\n     authority of government officials to   When it comes to government officials, they are not authorized to sign checks or transfer\n                                            funds from the bank accounts.                                                                                          inefficiencies.   Additionally,\n     such accounts is restricted                                                                                                                                   GOES         maintains      an\n                                                                                                                                                                   excessive       number       of\n                                                                                                                                                                   accounts (around 1200 -\n                                                                                                                                                                   1500)\n                                                                                                                                                                2. We noted that the same\n\n                                                                                                                                                                                     52 \n\n\x0cSECOND CRITERION:                            BUDGET EXECUTION\nQuestions to evaluate the                    Observations of the author, based on the analysis of available documents and enquiry              Reference to       Assessment of the Author\ncompliance with the criterion                of the entity subject to assessment                                                               documents (copy\n                                                                                                                                               attached)\n\n\n                                                                                                                                                                     individuals are basically in\n                                                                                                                                                                     charge      of   being      the\n                                                                                                                                                                     signatories for various bank\n                                                                                                                                                                     accounts. The reason for this\n                                                                                                                                                                     is    that   MARN      as     a\n                                                                                                                                                                     government institution only\n                                                                                                                                                                     has a certain number of\n                                                                                                                                                                     employees that are allowed to\n                                                                                                                                                                     have access to bank accounts\n                                                                                                                                                                     and sign checks. This may\n                                                                                                                                                                     seem to potentially cause\n                                                                                                                                                                     conflicts as people managing\n                                                                                                                                                                     various projects are signing\n                                                                                                                                                                     checks for various projects.\n3.11 Discuss with government officials       We met with MARN employees and discuss controls used to prevent fraud, waste and abuse.           C.2.24             Issue noted in the expenditures\n     controls used to prevent and            Basically, MARN relies on the following controls: segregation of duties (e.g.: requisition                           section related to potential\n     detect fraud, waste and abuse in        approval and receiving of goods), two signatories being required for each check, bank             Schedule II-J      segregation of duties issue.\n     the bank and fund accounts              reconciliations, ethics committee.                                                                Schedule II-K\n     (discuss the use of both front and\n     back end controls, or combination       During our review of purchases (see expenditures section), we noted that signers of checks\n     of preventive, detective and            perform multiple duties such as being involved in choosing the vendor, signing the checks,\n     corrective)                             receiving the goods and preparing the journal entries \xe2\x80\x93 This is further discussed in the\n                                             expenditures section.\n\n3.12 Review segregation of duties            During our review of purchases (see expenditures section), we noted that signers of checks        See expenditures   Issue noted in the expenditures\n     over cash accounts over physical        perform multiple duties such as being involved in choosing the vendor, signing the checks,        section.           section related to potential\n     security, authority and recording.      receiving the goods and preparing the journal entries \xe2\x80\x93 This will be further discussed in the                        segregation of duties issue.\n     Confirm that the duties of signing      expenditures section, please refer to it.\n     checks     is    separated    from\n     preparing bank reconciliations,\n     recording     transactions     and\n     custody of assets (assets to\n     vault)\n                                                                                                                                                                  Issues noted:\n3.13 Make a selection of cash                We reviewed controls over bank reconciliations and confirmed that they were functioning as        C.2.24             1) We noted that MARN does\n       accounts and test the following:      intended.                                                                                                               not have a control to further\n                                                                                                                                               Schedule II-J\n    -              reconciliations     are   We noted that all bank accounts require two signatures per check or transfer. However, we                               mitigate the risk of loss for\n        prepared timely\n      Bank                                   noted that MARN does not have a control to further mitigate the risk of loss for high payments.   Schedule II-K         high payments. There is no\n    - Reconciling items are resolved         There is no control requiring a second level review or approval for payments exceeding a                                control requiring a second\n        timely (they are not carried from                                                                                                                            level review or approval for\n\n                                                                                                                                                                                       53 \n\n\x0cSECOND CRITERION:                            BUDGET EXECUTION\nQuestions to evaluate the                    Observations of the author, based on the analysis of available documents and enquiry             Reference to         Assessment of the Author\ncompliance with the criterion                of the entity subject to assessment                                                              documents (copy\n                                                                                                                                              attached)\n\n\n          month to month)                    certain threshold.                                                                                                       payments exceeding a certain\n     -    Reconciliations were reviewed                                                                                                                               threshold.\n     -    Reconciliations were accurate      We inquired about controls to ensure that employees handling bank accounts do not commit                              2) background checks are done\n          (they reconciled to the general    fraud. First, background checks are done of individuals responsible for bank accounts;                                   of individuals responsible for\n          ledger and to the bank             however, they are only done when employees first join MARN rather than periodically.                                     bank accounts; however, they\n          statement)                         Second, MARN maintains bonds/insurance for employees handling bank accounts; however,                                    are     only     done     when\n     -    Items on the reconciliation are    the amounts insured do not represent the balances managed in the bank accounts. Basically,                               employees first join MARN\n          properly supported                 the insurance only covers up to approximately $11K per employee when the account balances                                rather than periodically\n     -    Check signing requires more        could be in the millions.                                                                                             3) MARN maintains insurance to\n          than one signature based on the                                                                                                                             cover potential losses caused\n          value of the payment                                                                                                                                        by employees handling bank\n     -    Payments exceeding a certain                                                                                                                                accounts;      however,     the\n          threshold (e.g.: $100K) require                                                                                                                             amounts insured do not\n          additional approvals                                                                                                                                        represent      the    balances\n     -    The background of people                                                                                                                                    managed       in   the    bank\n          executing checks is checked                                                                                                                                 accounts.     The    insurance\n     -    Bond amounts of people signing                                                                                                                              covers up to approximately\n          checks is significant enough to                                                                                                                             $11K per employee when the\n          cover the value of the account                                                                                                                              account balances could be in\n          balances                                                                                                                                                    the millions\n 3.14    Make a selection of petty cash\n         accounts and test the following:    This item was covered in the procurement section. Please refer to the sample testing in          This item was        This item was covered in the\n     -    Items in the petty cash fund are   section 4.                                                                                       covered in the       procurement section. Please\n          properly supported                                                                                                                  procurement          refer to the sample testing in\n     -    Only petty purchases are                                                                                                            section.    Please   section 4.\n          recorded                                                                                                                            refer    to    the\n                                                                                                                                              sample testing in\n                                                                                                                                              section 4.\n\n4.   Procurement, purchasing          and    We obtained a copy of the policies and procedures and reviewed them as noted.                    Narrative: E.2.2     Issue #1: Although MARN has a\n     disbursement cycle                                                                                                                                            system to track purchases; it is\n                                             The legal framework for purchasing is the Public Acquisition Law (LACAP). The Unit               Test Schedule II \xe2\x80\x93   not fully utilized as donor projects\n4.1 Review policies and procedures for       responsible for the bidding, evaluation, and award process is the UACI. The UACI is required     Sheet      L     \xe2\x80\x93   are managed manually by using\n    the purchasing and disbursements         by law to publish all solicitations, regardless of dollar value, in a system called COMPRASAL,   Schedule II-L        Excel. The impact is that there is\n    cycle and review for completeness        which is kept by the Ministry of Finance.                                                                             no way of managing the\n    confirming that they address at the                                                                                                                            purchase cycle and understand\n    minimum the bidding process (this        MARN utilizes the SIAF system to input requisitions and to partly comply with the LACAP\n                                             regulation. However, we noted that not all the purchases are input into the SIAF system. The                          delays       or     monitoring    of\n    should include bid evaluation                                                                                                                                  payments. Furthermore, there is\n    process such as committees,              majority, approximately 90% of all donor projects are kept outside the SIAF system (This is\n                                             reported as an issue). When it comes to the tracking of payables or the vendor listing, UACI                          a lack of a database that\n    competency, etc.), selection of                                                                                                                                provides timely and reliable\n    vendors, maintenance of the              does not have a systematic tracking system for open purchases because not all purchases\n\n\n                                                                                                                                                                                         54 \n\n\x0cSECOND CRITERION:                            BUDGET EXECUTION\nQuestions to evaluate the                    Observations of the author, based on the analysis of available documents and enquiry                Reference to       Assessment of the Author\ncompliance with the criterion                of the entity subject to assessment                                                                 documents (copy\n                                                                                                                                                 attached)\n\n\n    vendor listing, regulations related to   are input in the SIAF system as noted above.                                                                           information (please refer to the\n    LACAP,       ordering     processing                                                                                                                            narrative for further details)\n    system,      purchase      approvals,    When it comes to the maintenance of the vendor listing, UACI does not have a system for\n    tracking of open orders and              managing the vendors. Furthermore, the vendor listing is maintained in a separate system                               Issue #2: Registration control\n    tracking of payables                     owned by UNAC from the Ministry of Finance (Hacienda).                                                                 and maintenance of vendors in\n                                                                                                                                                                    COMPRASAL seems to be split\n                                                                                                                                                                    between MARN and the Ministry\n                                             When it comes to the bid evaluation process, as documented in the narrative, there are 3                               of Finance (Hacienda) without\n                                             types of award bidding processes depending on the value:                                                               clear       assignment      for\n                                                 \xef\x82\xb7    Bidding process if it is greater than $53,000 which requires that it goes through the                         maintenance of the vendor\n                                                      COMPRASAL portal and publication in local newspapers. Furthermore, the bidders                                master file, especially vendors\n                                                      have the right to ask for a review of the process if they do not win.                                         who are at default.\n                                                 \xef\x82\xb7    If the value is less than $53,000, it could go through what is called \xe2\x80\x9clibre gestion\xe2\x80\x9d\n                                                      which is processed by the MARN unit in charge of managing the bidding (UACI) and                              Issue #3: Direct procurement\n                                                      places the item in COMPRASAL and vendors can submit quotes. However, bidders                                  bypasses        any        controls\n                                                      do not have the right to request a review in case they lose.                                                  established to ensure that you\n                                                                                                                                                                    utilize the most qualified vendor\n                                                 \xef\x82\xb7    In case MARN determines that they have one vendor uniquely qualified, they may\n                                                                                                                                                                    for the lowest price. Furthermore,\n                                                      bypass any other option and choose the one vendor directly. However, they are\n                                                                                                                                                                    there are no ceilings on the value\n                                                      required to publish in COMPRASAL, the solicitation and who they awarded the\n                                                                                                                                                                    of the procurement that can go\n                                                      contract to. (This is reported as an issue)\n                                                                                                                                                                    through the direct procurement\n                                                                                                                                                                    process. We recommend that the\n                                                                                                                                                                    instrument defines that direct\n                                                                                                                                                                    procurement should not be used\n                                                                                                                                                                    in the project.\n\n4.2 Confirm if the procurement process       The procurement process cannot begin before the budget is authorized. According to the              Narrative: E.2.2   No issues noted\n    can begin before the budget is           latest modifications to LACAP, the law requires that prior to issuance of a requisition for goods\n    authorized and how?                      or services, the requestor must obtain funds availability which is stamped in the requisition.\n\n4.3 Review process flows for the             We obtained policies and procedures including process flows. We completed the evaluation of         Narrative: E.2.2   No issues noted\n    purchasing process and evaluate          controls in section 4.7 below\n    the    effectiveness    of   various                                                                                                         C.2.8\n    controls used in this process            The internal procedures regarding \xe2\x80\x9cGerencia de Adquisiciones y Contrataciones Institucional\n                                             (GACI), or UACI, describes the purchasing process, which was also confirmed during the\n                                             interviews. The effectiveness of the controls is tested at 4.7 and 4.8.\n\n4.4 Obtain an understanding of the           UNAC \xe2\x80\x93 There is a unit in charge of contracting and procurement of the government (UNAC)            Narrative: E.2.2   Issues noted:\n    procurement oversight/regulatory         that should oversee the purchasing unit at each institution including the one from MARN.\n    body and confirm that:                   However, the UNAC has limited resources and provides guidance when it is requested from             E.2.2 see page 4   1. There is no actual monitoring\n                                             the local procurement unit at MARN (UACI).                                                          (UNAC)                of vendors, account balances,\n  -    Such body has proper authority                                                                                                                                  time to process requests, and\n\n\n                                                                                                                                                                                          55 \n\n\x0cSECOND CRITERION:                          BUDGET EXECUTION\nQuestions to evaluate the                  Observations of the author, based on the analysis of available documents and enquiry             Reference to         Assessment of the Author\ncompliance with the criterion              of the entity subject to assessment                                                              documents (copy\n                                                                                                                                            attached)\n\n\n       and independence in the legal       Monitoring of Purchases \xe2\x80\x93 the unit in charge of purchases at MARN should be in charge of                                 so forth. Therefore, it is hard\n       framework                           monitoring performance of purchases such as: time to process a purchase, time to pay a                                   to    determine    if    MARN\n -     Review the monitoring tools for     vendor, number of bids process and so forth. However, we noted that monitoring of purchases                              processes            purchases\n       the oversight body to report        and vendors is not done \xe2\x80\x93 this is reported as a deficiency in the observations column.                                   effectively,  accurately     or\n       trends and issues to the                                                                                                                                     timely and/or if payments are\n       government                          The procurement oversight may be done thru different means:                                                              processed timely (see E.2.2 )\n -     The public is made aware of\n                                                \xef\x82\xb7   Internal audit division. This function basically performs internal reviews of the                            2. Audits or reviews done by\n       issues noted by the regulatory\n                                                    procurement function every year. The purpose is to ensure that they follow the                                  various entities are not\n       body\n                                                    LACAP regulation.                                                                                               published to ensure that the\n                                                                                                                                                                    public is aware of issues\n                                                \xef\x82\xb7   Ministry of Finance. This ministry performs reviews of the procurement function to\n                                                                                                                                                                    related to compliance or\n                                                    ensure that purchases follow the LACAP regulation. However, the reports issued by                               vulnerabilities.\n                                                    this ministry are not published so that the general public is made aware of issues.\n                                                \xef\x82\xb7   Court of Accounts. This ministry performs the financial reviews of the MARN.\n                                                    However, the reports issued by this ministry are not published so that the general\n                                                    public is made aware of issues.\n                                                \xef\x82\xb7   Donor\xe2\x80\x99s audits. Each individual donor may have their individual audits to ensure that\n                                                    the funds are used as intended\n                                           The actual process for controlling the purchases, employs the following controls: requisitions\n4.5 Is there a process for controlling     are used for purchases, budget availability is checked prior to committing the funds for a       E.2.2                No issues noted\n    actual purchases (e.g.: triple         purchase, goods are received by the warehouse and receipt is noted by the warehouse and\n    matching, list of approvers, list of                                                                                                    Test Schedule II \xe2\x80\x93\n                                           the person requesting the goods, receipt of the invoice is noted (quedan) and payments           Sheet           N:\n    approved        vendors,      order    (checks) require two signatures. The process does involve triple matching although it requires\n    processing unit, receiving unit,                                                                                                        Schedule II-N\n                                           more than 3 documents.\n    budget       and      commitments\n    compared,            Develop an        The actual process for controlling purchases can take one of three forms: Bidding (\n    understanding).of how such controls    Licitaciones o concursos), free purchase (Procesos de libre Gesti\xc3\xb3n) and direct procurement\n    are enforced                           (Contrataciones directas). The process requires documentation for the actual approval of the\n                                           original purchase requisition, bidding, analysis of bids or direct procurement, receiving of\n                                           goods and payments to vendors. We tested these controls at 4.7 below\n4.6 Confirm that the procurement           The procurement system used to track purchases open for bids is COMPRASAL. This system           Narrative: E.2.2     Issue Noted:\n    system is linked with other            is usable by all government institutions as required by the LACAP law; however, there are no\n    institutions carrying out government   linkages with other government functions due to several factors as further described in the                           The SAFI accounting system is\n    functions                              narrative.                                                                                                            not integrated with the SIAF used\n                                                                                                                                                                 by MARN nor with any of the\n                                                                                                                                                                 other systems used by the other\n                                                                                                                                                                 ministries.\n\n\n\n                                                                                                                                                                                      56 \n\n\x0cSECOND CRITERION:                           BUDGET EXECUTION\nQuestions to evaluate the                   Observations of the author, based on the analysis of available documents and enquiry            Reference to         Assessment of the Author\ncompliance with the criterion               of the entity subject to assessment                                                             documents (copy\n                                                                                                                                            attached)\n\n\n4.7 Make sample selections of vendors                                                                                                                            Potential issue noted:\n     from the vendor master file and test   We were not able to make sample selections of new vendors from the system. The reason for       Narrative: E.2.2     1. Vendors are not maintained\n     to confirm that:                       this is that MARN does not maintain the vendor master file as this is maintained by Hacienda.                           by MARN and there is no\n                                            MARN only reviews vendors when processing a purchase to make sure that the vendors have         Test Schedule II \xe2\x80\x93\n    - New vendors were properly                                                                                                             Sheet          M:       coordination to ensure that\n         approved       (approved      by   not been suspended or are in the list of those vendors that should not be used. Therefore,                              the listing is kept to date by\n                                            there is no process at MARN to ensure that vendors are up to date.                              Schedule II-M\n         approver with authority to                                                                                                                                 the applicable ministry (see\n         approve them) and approval         Basically, there is no master list of vendors at MARN. Vendors may register in COMPRASAL                                Schedule II-M).\n         was in writing                     to participate in a bidding process. However, the vendor\xe2\x80\x99s list is updated by the Ministry of                        2. Vendor data from the\n    - Bidding process is used when          Finance. As noted above, the LACAP authorizes \xe2\x80\x9cdirect contracting\xe2\x80\x9d which does not require                                 purchase requisition system\n         selecting new vendors              prior registration in COMPRASAL                                                                                           used by MARN (SIAF and\n    - Vendor listing is reviewed to                                                                                                                                   Excel) is not reconciled to\n         ensure that old vendors no                                                                                                                                   the accounting system (see\n         longer used are deleted from                                                                                                                                 Schedule II-M).\n         the listing\n4.8 Make sample selections of the           We reviewed various awards, per Sheet N of the test schedule, and confirmed that the invoice    Narrative: E.2.2     Issues noted:\n     purchase cycle (payments) and          matched the order and the receiving report. In fact, the awards require a receiving report as\n     ensure that:                           part of the payment documentation. In addition, every award identifies an \xe2\x80\x9cadministrator\xe2\x80\x9d who   Test Schedule II \xe2\x80\x93   1. Time allowed for vendor\n                                            is responsible to confirm receipt of goods or services according to the award terms and         Sheet L: Schedule       participation          during\n    - Matching of invoice, receiving                                                                                                        II-L                    procurement is too short to\n        report and order was done prior     conditions.\n                                                                                                                                                                    ensure that the best bids are\n        to paying for goods or services     We also confirmed that Requisitions were issued prior to the issuance of the solicitation       Test Schedule II \xe2\x80\x93      received. For instance, we\n        (triple matching is used)           document; however, some of these requisitions had vague specifications. We also confirmed       Sheet           N:      noted that bidding was only\n    - Bidding was used in accordance        minor instances where payment was delayed for nearly 3 months after receipt of goods or         Schedule II-N           open for one day for one\n        with the policies                   services.                                                                                                               procurement because it was\n    - Expenses were approved in                                                                                                                                     done through (see Schedule\n        accordance with the policies                                                                                                                                II-L)\n        and procedures\n    - Requisition orders were used in                                                                                                                            2. There is no process for\n        the process                                                                                                                                                 tracking     open    orders\n    - Items were recorded accurately                                                                                                                                processed through the SIAF\n    - Items were recorded timely                                                                                                                                    system or manually (see\n    - Vendor used was an approved                                                                                                                                   Schedule II-L)\n        vendor\n                                                                                                                                                                 3. Single vendor selection is not\n    - For        items    requiring  an\n                                                                                                                                                                    properly documented and it is\n        agreement, confirm that the\n                                                                                                                                                                    questionable. For instance,\n        expense agree to the terms of\n                                                                                                                                                                    explanations     used       to\n        the agreement\n                                                                                                                                                                    document the selection of a\n    - Payment was processed timely\n                                                                                                                                                                    single vendor stated that a\n        in accordance with LACAP\n                                                                                                                                                                    vendor was the best based on\n        regulation\n                                                                                                                                                                    discussion    with    various\n\n                                                                                                                                                                                     57 \n\n\x0cSECOND CRITERION:                        BUDGET EXECUTION\nQuestions to evaluate the                Observations of the author, based on the analysis of available documents and enquiry         Reference to         Assessment of the Author\ncompliance with the criterion            of the entity subject to assessment                                                          documents (copy\n                                                                                                                                      attached)\n\n\n   -   Vendor was paid timely in                                                                                                                              personnel and companies.\n       accordance with laws and                                                                                                                               However,      the   technical\n       agreements                                                                                                                                             reasons for concluding that a\n   -   Quantity    and    quality   of                                                                                                                        vendor is the best one in its\n       goods/services were inspected                                                                                                                          category are not documented\n   -   Confirm process for preventing                                                                                                                         (e.g.: capacity compared to\n       double payments                                                                                                                                        other vendors, quality, etc.)\n                                                                                                                                                              (see Schedule II-L)\n                                                                                                                                                           4. Payment to one sample\n                                                                                                                                                              selection was made 3 1/2\n                                                                                                                                                              months late (see Schedule II\xc2\xad\n                                                                                                                                                              N)\n                                                                                                                                                           5. Language for the requisition\n                                                                                                                                                              sometimes is too vague for\n                                                                                                                                                              the proposals (see Schedule\n                                                                                                                                                              II-N)\n\n4.9 Review tools used by MARN to         There are no tracking tools for vendors and balances payables. The tracking responsibility   Narrative: E.2.2     Issues noted:\n     track vendors and balances          falls directly onto the Administrator of each award who has to certify receipt of goods or\n     payables to ensure that:            services and the Finance Unit has to effect payment in a timely manner once the required     Test Schedule II \xe2\x80\x93   MARN does not use any tracking\n                                         documentation is submitted for processing. The LACAP requires timely payments and            Sheet           O:   tools to monitor vendors such as\n    - Balances owed to vendors are                                                                                                    Schedule II-O        review of vendor\xe2\x80\x99s balances, time\n        aged                             penalizes any delays due to negligence. Our testing revealed that the majority of payments\n                                         were done timely, i.e. not more than one or one a half month after receipt of goods or                            to process requests, aging of\n    - LACAP regulation is followed                                                                                                                         payables, and so forth (See\n        regarding the aging balances     services.\n                                                                                                                                                           Schedule II-O).\n    - Determine controls over special\n        accounts to determine if items\n        are processed timely\n    - Determine any potential impact\n        of any issues noted on the\n        project\n    - Vendors are paid in accordance\n        with vendor agreements\n    - Vendors are paid timely\n4.10Review controls over recording of    We reviewed controls over recording of entries and commitments during the testing done for   None                 No exceptions noted\n    commitments at MARN. Confirm if      the accounting testing.\n    any entity is exempt from the\n    controls and why\n\n\n\n                                                                                                                                                                                 58 \n\n\x0cSECOND CRITERION:                          BUDGET EXECUTION\nQuestions to evaluate the                  Observations of the author, based on the analysis of available documents and enquiry             Reference to         Assessment of the Author\ncompliance with the criterion              of the entity subject to assessment                                                              documents (copy\n                                                                                                                                            attached)\n\n\n4.11Assess the process for recording\n    and reporting of MARN debt and         Given the impact on the project and time constraints, we were unable to test this step           None                 None\n    guarantees\n    - Review      the    process   and\n       controls over loan guarantees\n4.12Review monitoring tools available      According to our interviews, there are no monitoring tools in place to review the purchase and   Narrative: E.2.2     Issued noted at 4.9\n    to government officials to monitor     disbursement cycle.\n    the purchase and disbursement                                                                                                           Test Schedule II \xe2\x80\x93\n    cycle                                                                                                                                   Sheet           O:\n                                                                                                                                            Schedule II-O\n4.13Review MARN\xe2\x80\x99s controls to confirm\n    that public sector opportunities are   MARN does not have a policy to promote private sector participation given that its               Narrative: E.2.2     No issues noted\n    open to the private sector and         responsibility ends with the publication of its business opportunities in COMPRASAL.\n    confirm that:                          All opportunities are listed at COMPRASAL and some of them are published in the\n    - System exists to make all            newspapers.\n       opportunities known to the\n       public sector\n    - Different business sectors are\n       encouraged to bid\n4.14Review controls to mitigate the\n    amount of any potential loss such      We reviewed controls to mitigate the amount of a loss such as insurance (See insurance           insurance Issue      Issues noted in Asset testing and\n    as insurance, caps on checks           Issue) and two signatures required on checks (tested in cash section as noted at Cash                                 cash sections\n                                           Section)                                                                                         Cash Section\n    requiring additional signatures,\n    additional approvals for payments\n    exceeding      certain    amounts,\n    controls to prevent duplicate\n    payments.\n4.15Confirm segregation of duties\n    among the duties of requesting         We noted one instance of non-compliance in this area. See Exception 1 of Test Schedule II,       Narrative: E.2.2     Issue noted:\n    services/goods,    approving     the   Section N, which reads as follows: The same individual had various roles in the award\n                                           process, Mr. Jorge Quezada. He was the Requestor, participated in the evaluation process,        Test Schedule II \xe2\x80\x93   The    same   individual was\n    request, request and approval for                                                                                                       Sheet           N:   involved in the requisition,\n    payment and receiving function         was designated as the administrator of the purchase order, signed the receiving report, and\n                                           was one of the signatories on the check No. 134. However, we noted other signatures              Schedule II-N        approval of the vendor and\n                                           (approvals) in the above documents                                                                                    payment.\n\n5.   Asset management\n                                           We reviewed the policies and procedures related to the asset management area for                 Schedule II-P        No issues noted\n5.1 Review policies and procedures for     completeness as noted at Schedule II-P\n    the asset management cycle and\n    review for completeness for items\n\n\n                                                                                                                                                                                       59 \n\n\x0cSECOND CRITERION:                            BUDGET EXECUTION\nQuestions to evaluate the                    Observations of the author, based on the analysis of available documents and enquiry                Reference to        Assessment of the Author\ncompliance with the criterion                of the entity subject to assessment                                                                 documents (copy\n                                                                                                                                                 attached)\n\n\n    such as: bidding, use of contracts\n    and agreements, monitoring of\n    asset usage, controls to physically\n    protect assets, physical verification,\n    tagging, c\\\n5.2 Review process flows for the asset       We reviewed the process for asset management to evaluate its effectiveness. We noted                C.2.28 (see pages   No issues noted\n    management process and evaluate          various issues as noted in the following sections.                                                  p.155-282)\n    the    effectiveness    of   various\n    controls used in this process\n\n5.3 Confirm that an asset registry is        MARN implemented new software in 2010 that included a module for the asset registry and             C.2.27              Issues noted:\n    used at MARN. If so, confirm that it     sub-ledger. The software utilized by MARN is the SIAF system.\n    is up to date                                                                                                                                                    1) A new fixed asset module has\n                                             Previous to 2010, MARN utilized the COAFI system to keep the asset sub-ledger. In 2010, the                                been implemented at MARN;\n                                             asset module from the SIAF system was implemented. However, data from the COAFI system                                     however, the data from the\n                                             was not uploaded from the old system to the new; instead, the data is being re-keyed                                       old system is being input\n                                             manually from the old system to the new system (SIAF) \xe2\x80\x93 This is reported as an issue.                                      manually into the new fixed\n                                                                                                                                                                        asset module rather than\n                                             Currently, MARN is still in the process of re-keying the data from the COAFI system into the                               being uploaded directly into\n                                             SIAF system manually. Basically, we noted that the asset registry is not up to date as noted in                            the new module in the SIAF\n                                             the finding \xe2\x80\x93 This is reported as an issue.                                                                                system (please refer to\n                                                                                                                                                                        C.2.27)\n                                                                                                                                                                     2) Transferring of data to the\n                                                                                                                                                                        new asset registry is only\n                                                                                                                                                                        approximately 70% completed\n                                                                                                                                                                        (please refer to C.2.27)\n\n5.4 Review the results of 2 counts of        We requested the results of the asset counts for 2010 and 2009.                                     C.2.27              Issues noted:\n    assets in the last 2 years. Confirm\n    that any discrepancies were              We noted that MARN did not use sheets to track the asset counts done at MARN. Basically,                                1) Annual        verification    of\n    investigated                             MARN utilizes the copy of the invoice and tracks them to the assets utilizing the tracking                                 existence of assets on the\n                                             numbers assign by them.                                                                                                    field is not done physically as\n                                                                                                                                                                        MARN       does      not   have\n                                             When it comes to assets in the field, we were informed that MARN does not have the                                         sufficient logistics personnel\n                                             resources to send analysts to the field to verify that each of their assets in the field is still                          to effectively control assets at\n                                             operating and in existence given personnel limitations. This is especially troublesome since                               the national level (Please\n                                             the major assets are kept in the field such as radars and expensive equipment.                                             refer to C.2.27 and Schedule\n                                             We also performed testing to verify that some sample selections had asset tags and to confirm                              II-R)\n                                             that controls functioned as intended as documented at Schedule II-R \xe2\x80\x93 Deficiency was noted.                             2) Documentation       supporting\n\n\n                                                                                                                                                                                           60 \n\n\x0cSECOND CRITERION:                        BUDGET EXECUTION\nQuestions to evaluate the                Observations of the author, based on the analysis of available documents and enquiry              Reference to      Assessment of the Author\ncompliance with the criterion            of the entity subject to assessment                                                               documents (copy\n                                                                                                                                           attached)\n\n\n                                                                                                                                                                annual asset counts is not\n                                                                                                                                                                kept as support. (Please refer\n                                                                                                                                                                to PA3.a and Schedule II-R.\n\n5.5 Confirm that MARN has controls to    MARN utilizes asset numbers to ensure that assets are not misappropriated. Instead of using       C.2.27            No issues noted\n    ensure that assets are not           asset tags, MARN develops asset numbers that identify the type of asset, location, person that\n    misappropriated such as asset        has the asset, project and financing involved. The asset numbers are actually written on the      Schedule II-R.\n    tags, physical safeguards, etc.      assets using a pen with paint.\n\n5.6 Review and evaluate controls         We confirmed that MARN uses the following controls to ensure that assets are not misused:         None              No issues noted\n    enforced at MARN to protect          they used tracking sheets for vehicles, the asset ID number includes the location of the asset,\n    assets from misuse and to confirm    and asset verification is done annually.\n    that they are used in its intended\n    purpose\n\n5.7 Review and evaluate controls         MARN uses insurance to cover some assets. However, the only assets insured are vehicles \xe2\x80\x93\n    enforced at MARN to protect          This is reported as an issue.\n    assets from misappropriation\n\n5.8 Review controls to ensure that the   We requested the reconciliations for 2010 and 2011 as of June 2012. We noted various issues       C.2.27            Issues noted:\n    asset sub-ledger agrees to the GL    related to the reconciliation between the GL and the subsidiary ledger as documented in the\n                                         observations\xe2\x80\x99 column.                                                                             Schedule II-Q     1) The reconciliation between\n                                                                                                                                                                the Fixed Asset register and\n                                                                                                                                                                the GL for 2010 did not have\n                                                                                                                                                                evidence of review (Please\n                                                                                                                                                                refer E3 on Schedule II-Q)\n                                                                                                                                                             2) Reconciliation for 2011 has\n                                                                                                                                                                not been prepared as of\n                                                                                                                                                                06/29/12 (Please refer to E2\n                                                                                                                                                                on Schedule II-Q)\n                                                                                                                                                             3) There is no evidence of\n                                                                                                                                                                review/approval            of\n                                                                                                                                                                reconciliations (Please refer\n                                                                                                                                                                to E3 on Schedule II-Q)\n                                                                                                                                                             4) Large     difference   noted\n                                                                                                                                                                between the GL and the fixed\n                                                                                                                                                                asset register ($354K) which\n                                                                                                                                                                did not include supporting\n                                                                                                                                                                documentation (Please refer\n\n                                                                                                                                                                                 61 \n\n\x0cSECOND CRITERION:                             BUDGET EXECUTION\nQuestions to evaluate the                     Observations of the author, based on the analysis of available documents and enquiry           Reference to         Assessment of the Author\ncompliance with the criterion                 of the entity subject to assessment                                                            documents (copy\n                                                                                                                                             attached)\n\n\n                                                                                                                                                                     to E4 on Schedule II-Q).\n\n6.   Payroll                                  We reviewed the payroll policies and procedures as documented at Schedule II-S                 Schedule II-S        No issues noted\n6.1 Review policies and procedures                                                                                                           C.2.28     (pages\n    for the payroll process and review                                                                                                       111-153)\n    for completeness\n6.2 Review process flows for the              We reviewed process flows and met with personnel related to the payroll area at MARN to        Schedule II-S        No issues noted\n    payroll process and evaluate the          discuss and evaluate controls related to the payroll area.                                     C.2.28      (pages\n    effectiveness of various controls                                                                                                        111-153)\n    used in this process such as                                                                                                             C.2.30\n    controls over timeliness (records\n    are recorded timely), accuracy\n    (payroll records are recorded\n    accurately in the accounting\n    system) and validity (payroll\n    records were approved).\n6.3 Are payroll payments linked to the        We reviewed the payroll and time and attendance systems. WE noted that both systems are        C.2.30               No issues noted\n    time and attendance or Human              not linked.\n    resources systems?                                                                                                                       Schedule II-T\n                                              Adjustments to employee payroll are one month behind because employee payroll is prepared\n                                                       th\n                                              by the 15 of each month while time and attendance reports are prepared by the end of the\n                                              month. Basically, adjustments from the time and attendance report are made to the payroll on\n                                              the subsequent month. We made sample selections of the payroll and tested that adjustments\n                                              were made as applicable as noted at Schedule II-T.\n6.4 Review controls to prevent fraud,         We reviewed and tested various controls to prevent fraud, waste and abuse as follows:          C.2.30               Issue noted:\n    waste and abuse and assess their          1) Controls to ensure that payments are made to real employees: Employees sign for their       Schedule II-T        Treasury department does not\n    effectiveness. This should include:           checks at the treasury department \xe2\x80\x93 issue noted: treasury does not keep copies of cards                         keep copies of data showing the\n    - Controls        to   ensure      that       or data showing the employee signatures to confirm signatures for employees at remote                           employee signatures to confirm\n        payments are made to real                 locations                                                                                                       signatures for employees at\n        employees                             2) Access controls: two employees at MARN have access to the payroll and HR systems                                 remote locations. Additionally,\n    - Access controls                             (SIRH). SOD is also applied as these are the only two employees processing payroll                              we reviewed pay to an employee\n    - Segregation of duties                   3) Names of employees on the payroll listing are reviewed every year as the law requires                            located in a remote location and\n    - Review of names shown on the                that all employees be re-hired/re-set in the payroll system every year                                          noted that the signature did not\n        payroll verified by the ministry at   4) We confirmed that employee records are maintained as verified for sample selections                              match the one in the employee\n        least once a year                         made                                                                                                            file.\n    - Are         personal        records     5) Overtime pay is not allowed at MARN\n        maintained for each employee\n        showing rates of pay, sick leave\n        taken, allowances, references,\n\n                                                                                                                                                                                      62 \n\n\x0cSECOND CRITERION:                            BUDGET EXECUTION\nQuestions to evaluate the                    Observations of the author, based on the analysis of available documents and enquiry             Reference to      Assessment of the Author\ncompliance with the criterion                of the entity subject to assessment                                                              documents (copy\n                                                                                                                                              attached)\n\n\n        contracts, etc?\n    -   Maintaining the confidentiality of\n        the records\n    -   Time and attendance records\n        (e.g.: timesheets)\n    -   Controlling overtime pay\n6.5 Assess the effectiveness of the          We confirmed that there are only two employees in charge of the payroll at MARN. One             None              No issues noted\n    segregation of duties used in the        basically is responsible for processing the payroll at MARN while the other is responsible to\n    payroll process                          administer the HR functions in the SIRH system. Once the payroll is prepared, it is approved\n                                             by the vice-minister and the accounting department (Treasurer) for processing. The\n                                             accounting department is responsible for uploading the payroll into the accounting system.\n                                             Then, the ministry of finance (Hacienda) is responsible for processing the payment. Last,\n                                             treasury makes the deposits directly into the employees\' accounts or cuts checks (most\n                                             employees are paid by direct deposits). Each employee is responsible for signing for their pay\n                                             before they can receive it.\n6.6 Make a sample selection of payroll\n    payments to determine that:              We made sample selections of the payroll to test at Schedule II-T                                C.2.30            Issue noted:\n    - Payroll       was       calculated     We noted one issue as noted in the observations column.                                          Schedule II-T     The treasury department is in\n       accurately                                                                                                                                               charge of disbursing funds to\n    - Payroll was recorded timely                                                                                                                               employees directly, including\n    - Payroll was recorded accurately                                                                                                                           those located in remote areas.\n    - Payroll was recorded in the right                                                                                                                         However, they do not have\n       period                                                                                                                                                   copies     of   the  employee\n    - Controls totals were used                                                                                                                                 signatures to confirm that the\n    - Batches are used                                                                                                                                          appropriate person signed for\n    - Payroll is approved by a person                                                                                                                           receipt of payment\n       with authority and independent\n       from the payroll preparation\n    - Payroll preparation, approval\n       and payment are segregated\n    - Employees are identified before\n       receiving payment\n    - There is a control to confirm that\n       appropriate employees received\n       their payment\n    - Unclaimed salaries held until\n       claimed?\n\n\n\n\n                                                                                                                                                                                  63 \n\n\x0c                                                                  Appendix IV\n\n\n\n\n       THIRD CRITERION: \n\n\nINFORMATION AND COMMUNICATION \n\n\n\n\n\n                Date of the assessment:   Completed on 10/15/12\n                Author of the assessment: Ivan Magana\n\n\n\n\n                                                                          64\n\x0cTHIRD CRITERION:                               INFORMATION AND COMMUNICATION\nQuestions to evaluate the compliance           Observations of the author, based on the analysis of available documents and enquiry            Reference to      Assessment of the Author\nwith the criterion                             of the entity subject to assessment                                                             documents (copy\n                                                                                                                                               attached)\n\n\n1. Information systems                         MARN - We obtained a copy of the policies and procedures for MARN and reviewed it for           Schedule III-A    No issues noted\n1.1 Review policies and procedures             completeness as noted at Schedule III-A.                                                        D.2.17\n    impacting the use and access to the        Hacienda \xe2\x80\x93 We reviewed the policies and procedures related to the SAFI accounting system\n    information          systems         for   maintained by Hacienda.\n    completeness. At a minimum,\n    confirm that the policies include the\n    following areas: use of approved\n    software,      physical      safeguards\n    (locks, special rooms, and alarms),\n    and backups and approved used.\n1.2 Confirm that there is appropriate          MARN \xe2\x80\x93 We reviewed the technology at MARN and noted that there is appropriate                   None              No issues noted\n    technology in place for information        technology to do the tasks that the ministry is responsible to complete.\n    systems         (i.e.:       accounting,   Hacienda \xe2\x80\x93 We reviewed the technology at Hacienda (Ministry of Finance) as Hacienda is\n    procurement,        payroll,    contract   responsible for maintaining the SAFI accounting system used by most government entities in\n    administration, human resources            El Salvador. During our review, we noted that there is appropriate technology to do the tasks\n    and payroll)                               that the ministry is responsible to complete\n    - Confirm that the information and\n        accounting systems allow timely\n        financial reporting\n1.3 Confirm that policies and procedures       MARN \xe2\x80\x93We made sample selections to test access controls and ensure that there is a              MARN:             MARN:\n    provide for segregation of duties.         segregation of duties.                                                                          D.2.17            No issues noted\n                                               When it comes to access granted to users at MARN, we made sample selections to confirm          Schedule III-B\n    Obtain an understanding of access          that access granted to the SIAF system agrees to the users\' duties as documented at\n    controls to the various modules            Schedule III-B. We noted that access to the SIAF system did agree with the employee duties.                       Hacienda:\n    including: payroll, assets, inventory      Hacienda \xe2\x80\x93 We noted that the SAFI accounting system maintained by Hacienda is used by                             Issues noted:\n    management,        accounting      and     most government entities including MARN. As such, we reviewed access controls to the SAFI                         1) We noted that there were\n    finance and confirm that:                  as noted at SAFI Access. We noted three exceptions related to the access testing conducted                            three users of SAFI from\n    - There are clear segregation of           of SAFI as noted in the observations column.                                                                          MARN that could not be\n        duties    between      authorizing     Access to SIAF:                                                                                 Hacienda:             verified      as      current\n        transactions,          processing      We also noted that Hacienda performs a semi-annual review of SAFI users. We reviewed the        D.2.18                employees. We contacted\n        transactions,           recording      last two semi-annual reviews performed at Hacienda as noted at D.2.18. No exceptions were       D.2.19                MARN and confirmed that\n        transactions, custody of assets,       noted                                                                                                                 these were valid users as\n        and reviewing transactions                                                                                                                                   they were recent additions to\n    - Access is segregated based on                                                                                                                                  the payroll (See SAFI - Ex 4)\n        functions                                                                                                                                                    \xe2\x80\x93 This exception is not\n    - Access        is    managed        by                                                                                                                          reported as an issue, pass\n        appropriate    personnel      (i.e.:                                                                                                                         further review.\n        personnel segregated from the                                                                                                                            2) We noted one issue related to\n        functions that it is supposed to                                                                                                                             a      user    role   named\n        protect)                                                                                                                                                     "Sostenibilidad"    (support)\n\n\n                                                                                                                                                                                     65 \n\n\x0cTHIRD CRITERION:                                INFORMATION AND COMMUNICATION\nQuestions to evaluate the compliance            Observations of the author, based on the analysis of available documents and enquiry                Reference to      Assessment of the Author\nwith the criterion                              of the entity subject to assessment                                                                 documents (copy\n                                                                                                                                                    attached)\n\n\n    -   Access     is   monitored  and                                                                                                                                    which has access to the\n        monitoring is documented                                                                                                                                          security modules in SAFI\n    -   Access    is    removed   when                                                                                                                                    even though this user should\n        employees are terminated or                                                                                                                                       only support institutional (see\n        leave employment                                                                                                                                                  SAFI Ex 5). We recommend\n                                                                                                                                                                          that Hacienda restricts the\n                                                                                                                                                                          access to Security to user\n                                                                                                                                                                          21000 \xe2\x80\x93 This is reported as\n                                                                                                                                                                          an issue\n1.4 Review data controls, including:            MARN:                                                                                               D.2.16            MARN:\n    physical controls, system controls,          Physical controls over the mainframe and use of passwords to access room \xe2\x80\x93 We evaluated            Schedule III-C    Issues noted:\n    backups and disaster recovery:              physical controls over the hardware at MARN as documented at Schedule III-C. We noted               Schedule III-D    1) For MARN, we noted that\n    - Evaluate physical controls over           that MARN utilizes the following controls to protect its mainframe: access to the mainframe                               backups of the system are\n       computer hardware (e.g.: use of          room requires the use of cards, passwords and fingerprints; the access cards are only kept                                kept in the computer room\n       special rooms, locks, safety             by two individual; the room where the mainframe is kept has a fire alarm and system to                                    rather than offsite\n       features such as fire safeguards,        control fire; the floor in the room is raised to prevent humidity and there is an AC operating in                     2) we noted that a running\n       access restrictions to computer          the room.                                                                                                                 mirror of the system is not\n       room, are keys restricted to             Backups \xe2\x80\x93 We evaluated the procedures when it comes to backups of the system as                                           kept at an offsite location\n       certain personnel, .)                    documented at Schedule III-D. We noted an issue as documented in the observations                                     3) We noted that MARN\xe2\x80\x99s\n    - Evaluate data controls such as            column. Because the backups are kept in the computer room inside the server, there is no                                  internal audit group or the SAI\n       the use of passwords (evaluate           listing of backups maintained by MARN.                                                                                    responsible for conducting\n       policies on passwords such as            Mirror of the systems at MARN - we noted that a running mirror of the system is not kept at                               financial audits (Corte de\n       expiration, length, rules upon           an offsite location \xe2\x80\x93 This is reported as an issue                                                                        Cuentas) do not perform\n       termination,      termination       of   IT audit \xe2\x80\x93 During our review, we were notified that no IT audit is performed at MARN - This is                            system audits to ensure that\n       access once employees leave,             reported as an issue                                                                                                      sufficient     controls       are\n       limitations on the number of             Hacienda:                                                                                                                 enforced to protect the\n       attempts to use a password               Physical controls \xe2\x80\x93 We reviewed physical controls over the computer room at both Hacienda                                 system or to test the controls\n       before locking itself, );                and Aduana related to security controls, security access to the computer room, electrical                                 to ensure that they are\n    - Evaluate the backup policy and            backup, fire suppression system and humidity and water as noted at SAFI - Physical. We                                    functioning as intended\n       confirm that backups are done            noted three exceptions as noted in the observations column (see #1 \xe2\x80\x93 3).                                              Hacienda:\n       periodically and they are kept           Backups \xe2\x80\x93 We reviewed controls related to SAFI backups at both Hacienda and Aduana as                                 Exceptions noted:\n       offsite on a safe location on a          documented at SAFI backups. No exceptions noted during the testing.                                                   1) Air Conditioning units for\n       separate building                        Password Security \xe2\x80\x93 We reviewed password security at both Hacienda and Aduana as noted                                    EPS1 and the tape library are\n    - Confirm that MARN maintains an            at SAFI - password. We noted one exception as noted in the observations column (see #4).                                  located in the EPS2 area.\n       inventory listing of all backups                                                                                                                                   This increases the likelihood\n    - Confirm that hardware and                                                                                                                                           of damaged by water.\n       software        inventories       are                                                                                                                              Additionally, the floor in the\n       maintained,                 including                                                                                                                              EPS2 area is not raised \xe2\x80\x93\n       descriptions,      locations     and                                                                                                                               This is reported as an issue\n       values of items                                                                                                                                                2) We noted that the flow of hot\n\n\n                                                                                                                                                                                            66 \n\n\x0cTHIRD CRITERION:                           INFORMATION AND COMMUNICATION\nQuestions to evaluate the compliance       Observations of the author, based on the analysis of available documents and enquiry           Reference to      Assessment of the Author\nwith the criterion                         of the entity subject to assessment                                                            documents (copy\n                                                                                                                                          attached)\n\n\n                                                                                                                                                                air in EPS1 was not properly\n                                                                                                                                                                controlled by a physical\n                                                                                                                                                                barrier. However, the ministry\n                                                                                                                                                                is currently dealing with this\n                                                                                                                                                                deficiency by using other\n                                                                                                                                                                types of barriers to isolate hot\n                                                                                                                                                                air (using metal or wooden\n                                                                                                                                                                boards) \xe2\x80\x93 This deficiency is\n                                                                                                                                                                not reported as an issue,\n                                                                                                                                                                pass further review.\n                                                                                                                                                            3) The doors protecting the\n                                                                                                                                                                computer room are metallic\n                                                                                                                                                                and reinforced. However,\n                                                                                                                                                                they do not seem to be fire\n                                                                                                                                                                proof raised \xe2\x80\x93 This is\n                                                                                                                                                                reported as an issue\n                                                                                                                                                            4) Hacienda requires the SAFI\n                                                                                                                                                                passwords       to      be     8\n                                                                                                                                                                characters, requiring one\n                                                                                                                                                                character to be a number. It is\n                                                                                                                                                                worth noting that Hacienda in\n                                                                                                                                                                their own manual defines a\n                                                                                                                                                                strong password as one that\n                                                                                                                                                                it is 15 characters in length\n                                                                                                                                                                and includes a combination of\n                                                                                                                                                                characters, capital letter,\n                                                                                                                                                                letters and numbers \xe2\x80\x93 This is\n                                                                                                                                                                reported as an issue\n1.5 Test some application controls built   We tested some of the controls built in the SAFI system such as numerical sequence,            Schedule III-F    No issues noted\n    in the systems such as:                allowing only certain dates (no backdating), deletion of prior posted entries and entries of\n    - Systems allow only certain codes     only certain defined characters (e.g.: numerical entries) as documented at Schedule III-F\n        or values\n    - Checks for duplicate records\n    - The system tracks the person\n        who inputs and approves the\n        data\n1.6 Obtain a copy of the disaster          MARN \xe2\x80\x93We requested a copy of the disaster recovery plan to perform some testing as             Schedule III-E    MARN:\n    recovery plan and confirm that it is   documented at Schedule III-E. MARN does not have a disaster recovery plan as noted on                            Issues noted:\n    complete by addressing:                the observations.                                                                                                MARN does not have a disaster\n    - Various types of disasters           Hacienda - We reviewed continuity planning at Hacienda as noted at SAFI continuity. We                           recovery plan.\n\n\n                                                                                                                                                                                 67 \n\n\x0cTHIRD CRITERION:                              INFORMATION AND COMMUNICATION\nQuestions to evaluate the compliance          Observations of the author, based on the analysis of available documents and enquiry          Reference to         Assessment of the Author\nwith the criterion                            of the entity subject to assessment                                                           documents (copy\n                                                                                                                                            attached)\n\n\n    -   Mitigation controls                   noted one exception as documented in the observations column (Please note that this\n    -   It includes business continuity       exception was also noted).                                                                                         Hacienda:\n        plans (See ADS 545 and                                                                                                                                   Issues noted:\n        Business continuity planning                                                                                                                             We noted that Hacienda uses a\n        reference to ADS545). The                                                                                                                                mirror site at Aduana as an\n        business continuity plan should                                                                                                                          alternate site in case of an\n        include at a minimum: identify                                                                                                                           emergency. However, this site is\n        critical systems and resources,                                                                                                                          only located 23 kilometers away\n        potential    threats,   preventive                                                                                                                       from the site at Hacienda and this\n        controls,               delegating                                                                                                                       distance is not sufficient to\n        responsibilities and validating the                                                                                                                      mitigate the risk of some events\n        business plan.                                                                                                                                           such as an earthquake \xe2\x80\x93 This is\n    -   It provides a plan for offsite                                                                                                                           reported as an issue \xe2\x80\x93 We\n        backup and recovery                                                                                                                                      recommend that Hacienda either\n                                                                                                                                                                 select a remote site or consider an\n                                                                                                                                                                 alternative such as cloud storage\n1.7 Confirm that training has been            MARN \xe2\x80\x93see issue noted above on 1.6                                                            MARN:          See   MARN: See section 1.6 above\n    provided on the disaster recovery         Hacienda \xe2\x80\x93 We confirmed that Hacienda has provided training on the disaster recovery plan     section 1.6 above\n    plan to the appropriate personnel         and that the plan is tested at least annually. No exception noted.\n1.8 Review      the   human      resource     We noted that the Human Resources system is integrated with the payroll system (SIRH).        None                 No issues noted\n    information     system      and    its    Although the SIRH system is not integrated with the accounting system (SAFI), data from the\n    integration with the Payroll and          payroll system is uploaded after the payroll is prepared and approved to the SAFI system.\n    Financial      Administration     and\n    Accounting Systems\n1.9 Review the purchasing information         When it comes to Purchases made by MARN, they are maintained either in Excel schedules        D.2.16               Issue noted in the purchasing\n    system and its integration with the       or the SIAF systems (this is noted as an issue in the purchasing testing area). During our                         section\n    Financial      Administration     and     testing of the procurement area, we also noted that there is no reconciliation between the\n    Accounting Systems                        purchase requisitions maintained manually using Excel, SIAF and the ones recorded in the\n                                              accounting system (this is noted as an issue in the purchasing testing area).\n1.10Review the asset management               We noted that the asset management system (SIAF) is not integrated with the accounting        See the asset        See the      asset   management\n    system and its integration with the       system                                                                                        management           section\n    Accounting Systems                                                                                                                      section\n2. Audit Process:                             MARN:                                                                                         MARN:                MARN:\n2.1 Assess the external and internal          We reviewed the internal audit function at MARN as documented in the narrative at D.2.1,      Narrative: D.2.1     No issues noted\n    audit         capabilities,    their\n    complementarity and coverage to           Internal auditor and two technicians. However, we noted that they lacked the IT audit         Corte de             Corte de Cuentas:\n    ensure effectiveness of MARN\xe2\x80\x99s            coverage as noted at 2.7 in this section (see PA3.a).                                         Cuentas:             Issues noted as follows:\n    internal control framework                                                                                                                                   1)\n                                              Corte de Cuentas:\n                                              We performed a limited review of the financial audit function which is managed by the Corte\n\n                                                                                                                                                                                      68 \n\n\x0cTHIRD CRITERION:                            INFORMATION AND COMMUNICATION\nQuestions to evaluate the compliance        Observations of the author, based on the analysis of available documents and enquiry              Reference to           Assessment of the Author\nwith the criterion                          of the entity subject to assessment                                                               documents (copy\n                                                                                                                                              attached)\n\n\n                                            de Cuentas (the supreme audit institution) as documented in the narrative.\n2.2 Review process flows for the audit      As documented in the narrative the process flow for the audit document obeys the following        Narrative: D.2.1       No issue noted in this testing\n    process      and      evaluate the      cycle:                                                                                            Procedures       for\n    effectiveness of various controls             1)    The audit report is prepared semiannually.                                            internal   auditing\n    used in this process.                         2)    The report is sent to the Minister in draft and final.                                D.2.9\n                                                  3)    The report is reviewed by the Minister.\n                                                  4)    The report is sent to the supreme audit institution\n                                            According to the \xe2\x80\x9cProcedures manual for internal auditing\xe2\x80\x9d (pg. 7) the process flow for the\n                                                  audit is:\n                                                  1) Planning stage.\n                                                  2) Execution\n                                                  3) Audit report\n                                                            a. Prepare draft report (pg. 13)\n                                                            b. Read the draft report to the audited areas to have their input.\n                                                            c. Check that recommendations are been followed.\n                                                            d. Final report\n                                                  4) Follow up\n2.3 Assess the effectiveness of the         1. As documented in the narrative and in the testing schedule, the internal audit department      1. Narrative: D.2.1    Issues noted:\n    internal audit function:                is not independent. Specifically, we noted that the department reports directly to the Minister   2. Procedures for      1. The internal audit department is\n    - Confirm that it is independent in     without having to report to an audit committee independent from the minister.                     internal   auditing        not independent. Specifically,\n        fact                                2. As documented in the testing schedule, the internal audit function has an internal control     D.2.9 and testing          we noted that the department\n    - Confirm that it has an internal       manual.                                                                                           schedule      D.2.2        reports directly to the Minister\n        audit manual                        3. There is not a manual of internal controls applicable to MARN. Internal controls are           (G-1)                      without having to report to an\n    - Confirm that there is a manual of     described briefly in section 2.1.7 (pg. 4) of the internal control procedures manual.             4. Email dated             audit committee independent\n        internal controls applicable to     4. Auditors receive training included in the SAI\xe2\x80\x99s annual training plan from the Supreme Audit    7/2/12         from        from the minister.\n        MARN                                Institution once or twice a year. On the other hand, they receive some training from the          Lorena       Flores    2. There is not a manual of\n    - Confirm that auditors received        Ministry of Finance, new fiscal reforms or LACAP. MARN doesn\xe2\x80\x99t have the funds for training.       D.2.14                     internal controls applicable to\n        sufficient training                 Sometimes they have to pay for their trainings.                                                                              MARN.\n                                                                                                                                                                     3. Auditors don\xe2\x80\x99t receive sufficient\n                                                                                                                                                                         training.\n2.4 Assess the internal and SAI\xe2\x80\x99s audit\xe2\x80\x99s   As stated in the narrative, eexternal audits are carried out by the supreme audit institution\n    independence of management and          and they report directly to the Legislative Assembly of the Republic. The document prepared\n    its     effectiveness   given     any   by the supreme audit institution is sent to the Minister first for his revision. He can make\n    independence issues                     changes to the report if necessary. Considering this, we may say that they have a certain\n      - Is the SAI independent of the       level of independence but not complete independence.\n        executive?\n      - What is its mandate?\n      - Does it have its own fiscal\n        database?\n      - Does the scope of the external\n\n                                                                                                                                                                                          69 \n\n\x0cTHIRD CRITERION:                              INFORMATION AND COMMUNICATION\nQuestions to evaluate the compliance          Observations of the author, based on the analysis of available documents and enquiry                Reference to         Assessment of the Author\nwith the criterion                            of the entity subject to assessment                                                                 documents (copy\n                                                                                                                                                  attached)\n\n\n        audit include all major public\n        sector entities?\n     - Does the entity have clear\n        procedures to report the internal\n        control weaknesses?\n     - Does management issue an\n        annual report/declaration on its\n        assessment of the internal\n        control environment?\n     - If no SAI exists, by who (if at all)\n        are external audits performed?\n           \xef\x82\xa7 External professional audit\n             firms?\n           \xef\x82\xa7 Audit bodies from other\n             organizations?\n           \xef\x82\xa7 Other?\n2.5 Make a selection of MARN\xe2\x80\x99s prior          Internal Audit: The report is effective, issues, vulnerabilities, and internal control weaknesses   - Audit Report No.   Issues noted:\n    internal and external audit reports       are included in the audit report and transmitted to the audited area in an acceptable period of     115-10-10 D.2.8      1. In the Internal Audit follow up\n    and evaluate                              time, but recommendations and follow up on recommendations are not addressed timely.                - Test schedule:        recommendations Matrix (see\n    - The reports effectiveness               Internal control weaknesses are identified during the audit but they are not addressed timely.      D.2.2 (H-D)             attached pdf document) two\n    - Issues or vulnerabilities are           In audit report No. 115-10-10 the follow up of recommendations was done when the next                                       projects (115-10-10 & 118-05\xc2\xad\n        addressed timely                      audit report is prepared (1 year after).                                                            - Internal Audit        11) are on hold, they stated that\n    - Recommendations                   are                                                                                                       Follow up Matrix        they are going to follow up on\n        addressed timely                                                                                                                          D.2.11                  this recommendation on 2012,\n    - Review the issues noted in the                                                                                                                                      month is not specified. Lic.\n        reports for their potential impact                                                                                                        - Email dated           Lorena de Rubio stated in the\n        to the project and determine if       External Audit (Open)                                                                               7/2/12 from             attached     email     that     the\n        such      issues     have      been                                                                                                       Lorena Flores           procedures manual does not\n        addressed timely.                                                                                                                         D.2.12                  establish a due date to follow up\n    - Confirm that internal control                                                                                                                                       recommendations.\n        weaknesses are identified during                                                                                                                               2.     We     selected     2    audit\n        the audit and they are addressed                                                                                                                                  recommendations from audit\n        timely                                                                                                                                                            report      No.        115-10-10;\n    - Does MARN have the capacity to                                                                                                                                      recommendations 1 & 2. They\n        review and respond to SAI                                                                                                                                         have not given follow up to\n        findings timely and effectively?                                                                                                                                  these           recommendations\n                                                                                                                                                                          according to the matrix for follow\n                                                                                                                                                                          up of recommendations (see\n                                                                                                                                                                          attached pdf file pg. 19/61). Lic.\n                                                                                                                                                                          de Rubio stated in the attached\n\n\n                                                                                                                                                                                              70 \n\n\x0cTHIRD CRITERION:                              INFORMATION AND COMMUNICATION\nQuestions to evaluate the compliance          Observations of the author, based on the analysis of available documents and enquiry             Reference to          Assessment of the Author\nwith the criterion                            of the entity subject to assessment                                                              documents (copy\n                                                                                                                                               attached)\n\n\n                                                                                                                                                                      email that the procedures\n                                                                                                                                                                      manual does not establish a due\n                                                                                                                                                                      date     to    follow  up    on\n                                                                                                                                                                      recommendations and that they\n                                                                                                                                                                      follow up on recommendations\n                                                                                                                                                                      when they perform the next\n                                                                                                                                                                      audit. (See note i).\n2.6 When it comes to the periodic             The periodicity coverage for audit varies from 6 months to 2 years as noticed in audits tested   Narrative: D.2.1      No issue noted.\n    coverage of audits, evaluate:             No (118-05-11, 112-09-10, and 115-10-10). As documented in the narrative, they perform a\n    - What is the periodicity/targeted        bi-annual financial and administrative evaluation.\n        coverage of audits?                   As documented in the narrative, every audit report is sent to the supreme audit institution.\n    - To what extent are audits carried       The law requires considering the financial statements while conducting an audit.\n        out?\n    - Are the annual financial                Audit plans are conducted by the internal audit area.\n        statements regularly presented to\n        an SAI or similar body?\n2.7 When it comes to the type of audits,      As documented in the narrative, the types of audits being performed are:                         Narrative: D.2.1      We noted that IT audits are not\n    evaluate:                                    a) The financial statements (Internal control, financial and compliance with laws). This is   Email        dated    conducted by the internal audit\n     - What types of audits are being                 documented in the testing schedule (H).                                                  6/28/12        from   function. This is confirmed by an\n        performed: financial, internal           b) Check if fractional purchases were done (because they are not permitted), if there is      Lorena       Flores   email sent by Internal Auditor\n        controls, compliance,                         competition among suppliers and if the bidding process is transparent.                   D.2.15                Chief (answer # 3).\n        performance, specific subject            c) Audit of project funds.\n        audit, IT audits, special projects,      d) Other audited funds: sale of natural products and SNET.\n        procurements, vendors, other?         We noted that IT audits are not conducted by the internal audit function.\n2.8 Obtain other reports or related           MARN:                                                                                            Narrative: D.2.1      Issue noted:\n    reports for the last three years to       As noted in the management control section, MARN does not have a risk assessment                 Audit reports:        We noted that MARN does not\n    inform the risk assessment process        process performed by government officials.                                                       No. 118-05-11 pg.     have a risk assessment process\n    relative to the areas being assessed      As stated in the testing schedule, from the sample selected we noted that the reports or tools   5, D.2.6              performed     by   government\n    and to the proposed implementation        are not used effectively because the issues or vulnerabilities are not addressed timely.         No. 112-09-10 pg.     officials.\n    mechanism and evaluate that:              These audits selected (See: No. 118-05-11 pg. 5, No. 112-09-10 pg. 5, and 115-10-10 pg. 7),      5, and D.2.7\n    - The reports or tools are used           have a small section to inform about risk assessment process relative to the areas being         No. 115-10-10 pg.     SAI:\n        effectively                           assessed.                                                                                        7 D.2.8               The SAI does not establish\n    - Issues or vulnerabilities are           As stated in the narrative risk assessment is performed according to the following:                                    timeframes     for    completing\n        addressed timely                       -    The valuation of the risk assessment is established in the official journal.                                     government audits. The audit\n                                               -    The regulation states that the Minister and his team must evaluate the risk. Including                           report for MARN for the period\n                                                    what are the risks and how to mitigate them.                                                                     ended December 31, 2009 was\n                                               -    The internal audit has to audit what is established by law.                                                      published in February 2012 (26\n                                               -    According to the law there is a committee of public ethics which is headed by human                              months later) and the report for\n                                                    resources, but is outside the scope of internal audit.                                                           the period ended December 31,\n                                               -    If it there is lack of material, the ministry may request them an audit.                                         2010 was published on May 2012\n\n                                                                                                                                                                                         71 \n\n\x0cTHIRD CRITERION:                            INFORMATION AND COMMUNICATION\nQuestions to evaluate the compliance        Observations of the author, based on the analysis of available documents and enquiry                Reference to          Assessment of the Author\nwith the criterion                          of the entity subject to assessment                                                                 documents (copy\n                                                                                                                                                attached)\n\n\n                                            -    If there are some other anomalies, the Ministry may also request an audit.                                           (17 months later\n\n                                            SAI:\n                                            We reviewed the audits conducted by the SAI of MARN and found no evidence to indicate\n                                            that audits conducted by the SAI need to be completed within an established time frame. For\n                                            instance, the audits for the period ended December 31, 2009 was published on February\n                                            2012 and the one for the period ended December 31, 2010 was published on May 2012.\n2.9 Evaluate the effectiveness of           MARN:                                                                                               No. 115-10-10 pg.     Issue noted:\n    MARN\xe2\x80\x99s follow-up process for            For internal audit findings MARN\xe2\x80\x99s follow up process is not good. As documented in the              7 D.2.8 pg. 22        MARN:\n    internal and external audit findings    narrative, they perform a follow up of the findings at the end of the fiscal year to be sure that   Email        dated    We        noted      that      audit\n                                            they are solved. As observed in audit report No. 115-10-10 pg. 22, and documented in email          6/29/12        from   recommendations are not followed\n                                            sent by internal auditor, follow up of recommendations are done when the next audit report is       Lorena       Flores   up on time.\n                                            prepared (1 year after).                                                                            D.2.12                SAI:\n                                                                                                                                                                      Corte de Cuentas is the supreme\n                                            SAI:                                                                                                                      audit institution (SAI) responsible\n                                            We reviewed the policies and procedures from the SAI and discussed them with MGT and                                      for carrying out the audits of\n                                            noted that according to the SAI, the rules state that the results of the audit are to be made                             government institutions. During\n                                            public, but this is understood as the audits being made available to public officials via access                          our review, we noted that results\n                                            to the reports at the Court of Accounts building. The results of the audits are not published so                          of the audits conducted by the SAI\n                                            the public is not made aware of the results \xe2\x80\x93 This is reported as issue #1                                                are not made public although the\n                                                                                                                                                                      law states that the audits are to be\n                                                                                                                                                                      made public. Per the SAI, the\n                                                                                                                                                                      GOES interpretation of the\n                                                                                                                                                                      wording \xe2\x80\x9cmade public\xe2\x80\x9d is to be\n                                                                                                                                                                      conducted by a public institution\n                                                                                                                                                                      and be made available to public\n                                                                                                                                                                      officials\n2.10Evaluate MARN\xe2\x80\x99s effectiveness and       For internal audit findings MARN\xe2\x80\x99s follow up process is not good. As documented in the              No. 115-10-10 pg.     Issue noted:\n    timeliness in adopting internal         narrative, they perform a follow up of the findings at the end of the fiscal year to be sure that   7 D.2.8 pg. 22        We        noted      that      audit\n    control recommendations                 they are solved. As observed in audit report No. 115-10-10 pg. 22, and documented in email          Email        dated    recommendations are not followed\n                                            sent by internal auditor, follow up of recommendations are done when the next audit report is       6/29/12        from   up on time, as a consequence, the\n                                            prepared (1 year after).                                                                            Lorena       Flores   reports are not used effectively\n                                                                                                                                                D.2.12                and issues or vulnerabilities are\n                                                                                                                                                                      not addressed timely.\n2.11Evaluate the capacity of the auditors   MARN:                                                                                               Narrative: D.2.1      Issue noted:\n    and determine that auditors are:        As documented in the narrative, the Profile of employees currently employed is:                                           MARN:\n    - Independent, objective, impartial     -    Internal auditor: 5 years of experience in the MARN.                                                                 The internal audit department is\n    - Possess the necessary                 -    Technician: 5 years of experience in ISNA, he also had experience in internal audit and                              not independent. Specifically, we\n       professional competence in the            accounting.                                                                                                          noted that the department reports\n       audit field                          -    Technician: 1 year of experience but he did not have experience in public auditing.                                  directly to the Minister without\n\n                                                                                                                                                                                           72 \n\n\x0cTHIRD CRITERION:                              INFORMATION AND COMMUNICATION\nQuestions to evaluate the compliance          Observations of the author, based on the analysis of available documents and enquiry              Reference to          Assessment of the Author\nwith the criterion                            of the entity subject to assessment                                                               documents (copy\n                                                                                                                                                attached)\n\n\n                                              -    The internal auditors are not independent because they have to report to the minister.                             having to report to an audit\n                                                                                                                                                                      committee independent from the\n                                              SAI:                                                                                                                    minister.\n                                              We noted that the president of the SAI are politically appointed by the legislature and this                            SAI:\n                                              raises questions about its independence.                                                                                Officials of the SAI are politically\n                                                                                                                                                                      appointed by the Legislative\n                                                                                                                                                                      Assembly, which may raise\n                                                                                                                                                                      doubts about the SAI\xe2\x80\x99s\n                                                                                                                                                                      independence\n2.12Evaluate how audits of programs are       As documented in the narrative:                                                                   Narrative: D.2.1      Issue noted:\n    managed. Determine by whom are            Generally with projects, the organization states in the agreement or contract if the funds will   Email        dated    The audit firm should be selected\n    these audits carried out:                 be audited by a sub-contracted auditing firm. The funds for these audits are provided by the      7/2/12         from   by the donor not by the recipient,\n     - Auditors appointed by the              donor. The selection of the audit firm is done by the MARN through UACI and the project           Lorena       Flores   this      generates      lack        of\n       implementing partner?                  coordinator. If this is not set in the contract or agreement, the audit is carried out by the     D.2.14                independence.\n     - Auditors appointed by the              internal audit of the Ministry. Lic. Rubio (MARN Internal auditor) said that they select which\n       procuring entity?                      audit they are going to do according to the following parameters:\n                                                   1)    Date of finalization of the contract or agreement.\n                                                   2)    According to the percentage of implementation (they generally choose 2 projects).\n2.13Does MARN perform audits of               As documented in the email from Lic. Lorena Flores, MARN does not perform audits of               Email       dated     Issue noted:\n     partners and/or vendors? If so,          partners and/or vendors.                                                                          7/2/12        from    MARN does not perform audits of\n     please confirm the following:                                                                                                              Lorena      Flores    partners and/or vendors.\n   -     Who performs such audits?                                                                                                              D.2.14\n   -    What standards are used for\n        such     audits?     (International\n        standards)\n   -    How are the results tracked?\n\n\n\n\n                                                                                                                                                                                             73 \n\n\x0c                                                            Appendix IV\n\n\n\n\nFOURTH CRITERION:\n\n   COMPLIANCE \n\n\n\n\n\n         Date of the assessment:\t   Completed on 09/20/12\n         Author of the assessment: I\tvan Magana,\n                                    Blanca Ibarra,\n                                    Juan Carlos Rivas\n\n\n\n\n                                                                    74\n\x0c1.     Compliance         with     laws  and     We reviewed compliance with laws and regulations as noted in the narrative.                  E.2.2             Issues noted in the audit and\n       regulations:                              MARN does not have any tools used to monitor compliance with laws and regulations or                           procurement sections\n1.1.    Obtain      an     understanding    of   track compliance. As discussed in the procurement and audit sections, there is enforcement\n        MARN\xe2\x80\x99s requirements and policies         of the law by internal audit and procurement controls\n        to comply with GOES\xe2\x80\x99s laws and\n        regulations\n        - Review mechanisms or tools\n           used by MARN to track\n           compliance\n        - Review mechanisms or tools\n           used to understand applicable\n           laws\n1.2.    Verify MARN\xe2\x80\x99s compliance with            This was tested in the procurement section                                                   E.2.2             Issues noted in the procurement\n        GOES\xe2\x80\x99s public procurement law                                                                                                         Compliance with   section\n        (LACAP) and regulations, the AFI                                                                                                      laws\n        law and its regulations\n        - What is required by law?\n        - How is it complied with?\n        - Is the public procurement law\n           accessible to the public?\n        - Does the law apply to all public\n           bodies, sub-national\n           governments and entities when\n           budget funds are used?\n        - Does the law cover goods, works\n           and services?\n        - Have implementing regulations\n           and sample documents been\n           prepared to aid procuring entity\n           compliance? (CPIs)\n        - Are spending ministries and sub-\n           entities familiar with (and\n           generally compliant with) the\n           law?\n1.3.    Based on the first assessment,           This was tested in the procurement section                                                   E.2.2             Issues noted in the procurement\n        understand       and     assess   the                                                                                                                   section\n        potential impact of local law on the\n        program, such as:\n        - Potential impact of delays caused\n           by laws such as LACAP\n1.4.    Verify that MARN monitors vendors        MARN does follow compliance with agreements by vendors when it comes to goods and/or                           Issue noted:\n        for compliance with laws and             services impacting GOES funds. However, compliance by vendors with donor agreements                            MARN      personal    lack     the\n        regulations when applicable              seems to be the responsibility of auditor working on behalf of donors. Vendor compliance                       knowledge      of      regulations\n\n\n                                                                                                                                                                                     75 \n\n\x0c     - Confirm how vendor compliance            with terms of agreements with donors seems to be an area lacking strength since personnel                          applicable to USAID agreements.\n        is monitored?                           do not seem to be as familiar with required regulations from agreements.                                           USAID needs to strengthen their\n     - Have vendor audits been                                                                                                                                     capacity and understanding of what\n        conducted?                                                                                                                                                 rules and regulations need to be\n     - Confirm if a standard form is                                                                                                                               enforced and followed by sub-\n        used for vendors and the form                                                                                                                              recipients and third parties used by\n        includes all applicable regulations                                                                                                                        MARN.\n1.5. Verify         compliance           with   We met with personnel and documented our understanding of compliance with laws and               Compliance with   Issues noted in the Management\n     transparency and anti-corruption           regulations as documented in the narrative (see Compliance with laws )                           laws              controls section.\n     laws                                       When it comes to the transparency law, we documented our review of the law and testing           Ethics req\n     - Develop an understanding of              related to it in the section \xe2\x80\x9cManagement Controls\xe2\x80\x9d                                               Ethics II\n        what the law requires\n     - Confirm        that     MARN      has\n        established good mechanisms to\n        communicate any issues with the\n        applicable agency\n     - Confirm that the agency in\n        charge      of     prosecutions    is\n        properly functioning and that\n        prosecutions          have      been\n        conducted\n     - Confirm that the results of any\n        prosecutions have been made\n        public\n     - Confirm that the laws set forth\n        actions that can be taken against\n        various types of behavior such as\n        conflicts of interest, fraud,\n        unethical behavior and so forth\n     - Does the government have an\n        active anti-corruption program\n        aimed       at       engaging     all\n        stakeholders and inform them of\n        their rights and duties?\n1.6. Identify laws and regulations that         During our discussions with personnel, we were told that according to local law, laws may be     E.2.2             Issue noted:\n     are relevant to the Program:               applicable to the project if the donor elects to have local law apply; otherwise, the law that                     USAID needs to define the\n     - Confirm the impact of such laws          applies is the one designated on the agreement. As such, the local law that may apply would                        applicable law that needs to be\n        to the program                          be all local laws (e.g.: LACAP, Transparency) or the applicable US laws and regulations                            enforced in the agreement.\n     - Confirm that training is provided\n        to employees\n2. Donor           Relationships         and    When it comes to procurement, bidding, vendor selection and publication of results; it was       E.2.2             Issues noted in the procurement\n    Performance Controls:                       tested in the procurement section                                                                                  section\n2.1 Review procurement planning,\n\n\n                                                                                                                                                                                         76 \n\n\x0c      including product selection,\n      quantification, budgeting, and cost\n      estimation, including:\n      - Determine that vendor selection\n        requires bidding\n      - Confirm that bidding requires\n         public announcements\n      - Confirm that the vendor selection\n         process is open and transparent\n      - Does the law require publication\n         of business opportunities and\n         contract awards\n      - Is adequate time provided for\n         offers to prepare and submit\n         bids?\n      - Does the law allow discrimination\n         against firms for reasons other\n         than lack of qualifications? For\n         example, excessive preferences\n         granted to local firms, how SOEs\n         are treated, etc.\n2.2   Review controls over contract         When it comes to use of standard agreements, we confirmed that MARN does develop their   E.2.2   No issues noted\n      awards (e.g.: use of proper           own standard agreements with vendors. However, USAID would have to require compliance\n      instruments such as agreements or     with US laws and confirm that MARN does include the applicable language in their local\n      contracts, complete documentation,    agreements.\n      supporting documentation, etc.)\n      - Confirm that standard documents\n        are available for use\n      - Review controls to ensure that\n        vendors comply with their\n        requirements\n      - Review guidelines used by\n        MARN to confirm that financial\n        and legal requirements (local and\n        international) are followed by\n        recipients or vendors\n      - Are audits required of recipients\n        in accordance with donor\n        agreements?\n      - Develop an understanding of how\n        vendor compliance is followed by\n        employees (i.e.: are employees\n        from the project or MARN used to\n\n\n                                                                                                                                                               77 \n\n\x0c        monitor performance?)\n2.3   Develop an understanding of the          During our meetings, we noted that there is only one donor that it is relying on the GOES       See page 48 and   No issues noted\n      current utilization of country           host country system. Specifically, it is the government of Spain through the agency known as    50 of E.2.3\n      systems by other donors:                 AECID.\n      - What is the proportion of foreign      When it comes to 2011, the total budget for all projects was $14.8M while AECID\xe2\x80\x99s aid\n        aid by all donors managed by           totaled approximately $1M.\n        use of national country system\n      - Do donors provide sufficient\n        financial information for\n        budgeting, tracking and reporting\n2.4   Assess contract management               Contract management for projects is usually handled at MARN manually by using Excel             None              No issues noted\n      during implementation, including         unless a project requires the use of a certain packaged software.\n      dispute resolution methods\n      - How are contracts managed?\n      - What system is used for contract\n        administration?\n      - Assess the potential impact of\n        their contract management on\n        the project\n2.5   Develop an understanding of how          As noted in the audit section, project results are not tracked. Project results are basically   E.2.2             No issues noted\n      project results are tracked of project   prepared as required by the donor and the documentation is made available to the donor if\n      including timeliness and on-budget       required by the agreement or prepared by personnel fully dedicated to the program if\n      deliverables                             required by the donor agreement.\n      - Review tools used to monitor\n        project deliverables\n      - Is the accounting system used to\n        prepare fund accountability\n        statements or are they prepared\n        manually?\n      - How is performance monitored?\n      - Who is responsible for monitoring\n        performance (e.g.: employees of\n        MARN or the project?)\n2.6   Assess the capacity of MARN to           Currently, MARN does not have the employee capacity to monitor all facets of the project        Issue on          Issue noted:\n      plan, execute, monitor, evaluate,        management.                                                                                     compliance        It appears that MARN internal\n      and report on all facets       of                                                                                                                          systems require strengthening in\n      project management                                                                                                                                         terms of additional staff, office\n      - Understand the capacity of the                                                                                                                           space, equipment, and training.\n        employees used to track project                                                                                                                          This situation has led that other\n        performance                                                                                                                                              donors subscribe independent\n                                                                                                                                                                 agreements (See Issue on\n                                                                                                                                                                 compliance)\n\n\n\n                                                                                                                                                                                       78 \n\n\x0c2.7   Make a sample selection of projects\n      developed by MARN for other           Given time constraints, we were unable to complete this section                                 None\n      donors and test the following:\n      - Confirm that projects were\n         completed timely\n      - Confirm that project deliverables\n         were completed as required by\n         the agreements\n      - Assess MARN\xe2\x80\x99s process for\n         monitoring completion of the\n         projects in accordance with\n         agreements or contracts\n      - Assess the impacts of any\n         lessons learned from other\n         projects\n2.8   Assess MARN\xe2\x80\x9ds capacity to                                                                                                                                 Issue noted:\n      develop \xe2\x80\x9cLessons Learned Studies\xe2\x80\x9d     MARN does not have a process by which they examine issues raised during program                 E.2.2               MARN does not take ownership of\n      and apply them to other projects to   evaluations and apply them as Lessons\xe2\x80\x99 Learned. Furthermore, MARN does not take                                     projects funded by donors as they\n      increase their capacity, efficiency   ownership of donor projects where they allocated resources in their budget by project nor tie                       do not receive the reports and\n      and effectiveness                     their budgets to achievement of goals and projects.                                                                 apply them as lessons learned.\n      - Review other projects to confirm\n         that lessons learned have been\n         prepared for other projects\n2.9   Assess organizational structure and                                                                                                                       Issue noted:\n      staffing needs related to the         Currently, MARN does not have the employee capacity to monitor all facets of the project        Issue         on    It appears that MARN internal\n      requirements to be imposed by         management.                                                                                     compliance          systems require strengthening in\n      virtue of the project under                                                                                                                               terms of additional staff, office\n      consideration                                                                                                                                             space, equipment, and training.\n      -                                                                                                                                                         This situation has led that other\n                                                                                                                                                                donors subscribe independent\n                                                                                                                                                                agreements     (See   Issue    on\n                                                                                                                                                                compliance)\n2.10 Assess controls used by MARN to\n     confirm compliance with donor          As previously documented, there is no committee to track results of projects or compliance      See         other   Issues noted above\n     agreements and applicable US           with agreements                                                                                 sections above\n     laws\n     - Is there a committee to review\n       results of projects?\n     - How is compliance with\n       agreements with multiple donors\n       enforced?\n2.11 Assess the feasibility of\n     management of donor funds              As previously discussed, special accounts require that funds managed by use of separate         E.2.2               Potential issue noted at single\n\n\n                                                                                                                                                                                     79 \n\n\x0c     through separate accounts (e.g.:       bank accounts. Furthermore, special funds require that separate budget accounts be tracked.                            account\n     special accounts)\n     - Assess budgetary controls for        Currently, there is a special project related to the SAFI law and system that is considering the\n        this separate accounts              application of a single account rather than the use of various bank accounts. The application\n     - Assess how local laws impacts        of a single account may impact the project depending on how the law is modified in the future\n        special accounts                    requiring that all funds go to the general fund.\n     - Are special accounts exempt\n        from local budgetary law (e.g.:\n        prevent unused funds from being\n        swept to the local budget)\n2.12 Assess the feasibility of satisfying\n     audit requirements related to donor    This was tested in the audit section                                                               See audit section   See issues noted in the audit\n     funds in accordance with GOES                                                                                                                                 section\n     laws and regulations\n     - Review how audits are enforced\n     - Confirm that the auditors are\n        independent of MARN\n2.13 Has the entity identified minimum\n     internal controls required of          This was tested in the audit section                                                               See audit section   See issues noted in the audit\n     implementing partners and vendors                                                                                                                             section\n     in accordance with donor\n     agreements? Assess tools used by\n     the entity to check minimum\n     internal requirements (e.g.: use of\n     contracts, vendor audits, recipient\n     audits, etc.)\n\n\n\n\n                                                                                                                                                                                     80 \n\n\x0c'